CAPTCHAS OpenClaw
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent instruction-only integration guide for a CAPTCHA verification API, with expected API-key use and disclosed data-sharing cautions.
This appears safe to install as an instruction-only integration guide. Before using it, make sure the CAPTCHAS API key is stored securely and that any `signals` data sent to the service excludes personal or sensitive information unless strictly necessary.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent process with this key may be able to call the CAPTCHAS API under the user’s account.
The skill requires an API key for the CAPTCHAS service, which is expected for this integration but grants access to the user's CAPTCHAS account/API usage.
`CAPTCHAS_API_KEY` = `<your-api-key>` ... `x-api-key`: required (use `CAPTCHAS_API_KEY`).
Use a scoped API key if available, store it securely, and rotate it if it may have been exposed.
If configured carelessly, private user or request data could be included in CAPTCHA verification signals sent to the provider.
The tool schema allows arbitrary signal data to be sent to the CAPTCHAS integration, and the artifact itself warns not to include personally identifiable information.
`signals`: {"type": "object", "additionalProperties": true} ... Avoid sending PII in `signals`.Limit `signals` to the minimum needed for verification and exclude personal, secret, or unnecessary user data.