CAPTCHAS OpenClaw

Name/description (CAPTCHAS integration) aligns with declared env vars (CAPTAS_API_KEY, CAPTCHAS_ENDPOINT) and the API endpoints referenced. Requested credentials and endpoint are expected for this integration.

SKILL.md contains only API integration guidance and tool schemas. It does not instruct the agent to read unrelated system files or other credentials. Note: the 'signals' parameter is free-form (additionalProperties allowed) and the doc warns to avoid PII but does not enforce it — this is a possible data-exposure risk if callers put sensitive user data into signals. The example plugin's execute() simply returns JSON.stringify(params), which in a real integration could cause sensitive inputs to be reflected into tool output/logs.

Instruction-only skill with no install spec and no code files — lowest-risk install posture; nothing is written to disk or downloaded by the skill itself.

Only two environment variables are required: CAPTCHAS_API_KEY (primary credential) and CAPTCHAS_ENDPOINT. Both are appropriate and necessary for an API integration; no unrelated credentials or broad config paths are requested.

Skill is not always-enabled and does not request system-wide privileges or attempt to modify other skills. Default autonomous invocation is allowed (platform default) but not combined with other concerning privileges here.