Scan Report
0 /100
felo-superAgent
AI conversation with real-time SSE streaming on a persistent LiveDoc canvas
Felo SuperAgent is a legitimate API client skill that makes authenticated HTTP requests to the Felo Open Platform API. All capabilities are properly declared, no sensitive data access, no credential exfiltration, and no suspicious execution patterns detected.
Safe to install
No action needed. The skill is safe to use as described.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | HTTP requests to https://openapi.felo.ai with Bearer token authentication (run_s… |
| Shell | NONE | NONE | — | SKILL.md: Shell execution not declared. Scripts use Node.js for API calls only, … |
| Filesystem | NONE | NONE | — | No file read/write operations in scripts |
| Environment | READ | READ | ✓ Aligned | SKILL.md declares env var usage. Scripts read FELO_API_KEY only (run_superagent.… |
| Clipboard | NONE | NONE | — | No clipboard access detected |
| Browser | NONE | NONE | — | No browser access detected |
| Database | NONE | NONE | — | No database access detected |
| Skill Invoke | READ | READ | ✓ Aligned | Depends on felo-livedoc skill for LiveDoc management (clawhub.json) |
1 High 7 findings
High API Key 疑似硬编码凭证
API_KEY="your-api-key-here" README.md:64 Medium External URL 外部 URL
https://felo.ai/livedoc/... README.md:266 Medium External URL 外部 URL
https://custom-api.example.com README.md:376 Medium External URL 外部 URL
https://openapi.felo.ai/docs/api-reference/v2/superagent.html README.md:394 Medium External URL 外部 URL
https://openapi.felo.ai/docs/ README.md:395 Medium External URL 外部 URL
https://felo.ai/livedoc/QPetunwpGnkKuZHStP7gwt SKILL.md:375 Medium External URL 外部 URL
https://openapi.felo.ai SKILL.md:644 File Tree
5 files · 77.6 KB · 2005 lines Markdown 2f · 1208L
JavaScript 2f · 784L
JSON 1f · 13L
├─
▾
scripts
│ ├─
run_style_library.mjs
JavaScript
│ └─
run_superagent.mjs
JavaScript
├─
clawhub.json
JSON
├─
README.md
Markdown
└─
SKILL.md
Markdown
Security Positives
✓ No shell command execution - uses Node.js for all API interactions
✓ No credential exfiltration - FELO_API_KEY used only for Bearer authentication to legitimate API endpoint
✓ No sensitive path access - does not read ~/.ssh, ~/.aws, or .env files
✓ No base64/encoded payloads piped to shell
✓ No remote script execution (curl|bash, wget|sh)
✓ No hidden instructions in HTML comments or embedded data
✓ API key read from environment variable only, never hardcoded in code
✓ Clear doc-to-code alignment: SKILL.md accurately describes all functionality
✓ Scripts are self-contained JavaScript with no external dependencies requiring installation
✓ SSE streaming is standard HTTP behavior for real-time responses
✓ All external URLs point to legitimate Felo AI domain (openapi.felo.ai)