Zyt credentials guard
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill is coherently focused on helping users manage Chanjing credentials locally, but it does handle real API secrets and tokens.
Before installing, understand that this skill is meant to help manage Chanjing AK/SK credentials in a local file and refresh access tokens through Chanjing’s API. Do not paste secrets into chat, verify the credential file path, and use it only in an environment where local files and API credentials are trusted.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly or with an untrusted agent environment, Chanjing API credentials could be exposed or used for account actions.
The skill is explicitly designed to read local Chanjing access keys, secret keys, and tokens. This is purpose-aligned and clearly disclosed, but these are sensitive account credentials.
AK/SK and Token are read from the same local config file. - Path: `~/.chanjing/credentials.json` (overridable by env `CHANJING_CONFIG_DIR`)
Use this only in a trusted local environment, keep the credential file private, and do not paste AK/SK values into chat.
The Chanjing service receives the AK/SK in order to issue a token; this is normal for token refresh but involves real account credentials.
The skill sends the configured app_id and secret_key to the documented Chanjing token endpoint to obtain or refresh an access token. This is expected for the credential-management purpose and is not hidden.
POST https://open-api.chanjing.cc/open/v1/access_token ... "app_id": "{{app_id}}", "secret_key": "{{secret_key}}"Confirm the endpoint is the intended Chanjing API domain before use, and rotate keys if they are ever shared in chat or exposed elsewhere.