CAPTCHAS OpenClaw
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent process with this key may be able to call the CAPTCHAS API under the user’s account.
The skill requires an API key for the CAPTCHAS service, which is expected for this integration but grants access to the user's CAPTCHAS account/API usage.
`CAPTCHAS_API_KEY` = `<your-api-key>` ... `x-api-key`: required (use `CAPTCHAS_API_KEY`).
Use a scoped API key if available, store it securely, and rotate it if it may have been exposed.
If configured carelessly, private user or request data could be included in CAPTCHA verification signals sent to the provider.
The tool schema allows arbitrary signal data to be sent to the CAPTCHAS integration, and the artifact itself warns not to include personally identifiable information.
`signals`: {"type": "object", "additionalProperties": true} ... Avoid sending PII in `signals`.Limit `signals` to the minimum needed for verification and exclude personal, secret, or unnecessary user data.