Stove Public Api

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note

ASI02: Tool Misuse and Exploitation

What this means

The agent may make HTTP GET requests to the configured API host when using this skill.

Why it was flagged

The skill intentionally grants network access through a shell-run Python helper and allows overriding the API root. This is disclosed and aligned with querying a public API, but a custom endpoint should be trusted.

Skill content

permissions:
  - network
entryPoint:
  type: shell
  path: scripts/public_api.py
...
- `--base-url`（可选）：如传入，则覆盖上述 env 规则，使用自定义根地址。

Recommendation

Use the default production or documented test Stove endpoints unless you intentionally trust a custom base URL.