Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Privacy virtual credit cards
v1.0.2Use the Privacy CLI to create and manage Privacy Virtual Cards directly from the terminal. Trigger this skill whenever the user asks to create, list, pause,...
⭐ 0· 32·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's purpose (manage Privacy virtual cards) legitimately requires an API key and the official privacy CLI. The SKILL.md explicitly requires PRIVACY_API_KEY, npm/node, and the @privacy-com/privacy-cli package, but the registry metadata lists no required env vars or binaries — an inconsistency between declared metadata and the runtime instructions.
Instruction Scope
The instructions stay within the stated purpose (create/list/pause/close cards, list transactions). They correctly warn about handling PAN data and require explicit user confirmation for full PAN retrieval. The SKILL.md also notes the CLI resolves the API key from either PRIVACY_API_KEY or ~/.privacy/config — meaning the agent may indirectly access the user's credential file if the CLI reads it. The instructions do not ask to read unrelated system files, but they do rely on a user-managed secret and a config file.
Install Mechanism
This is an instruction-only skill (no install spec). The SKILL.md tells the agent to run `npm install -g @privacy-com/privacy-cli` if the CLI is missing. Installing a global npm package is a reasonable way to obtain the CLI, but it involves running third-party code from the npm registry — this is moderate risk and should be done deliberately. The install step is not reflected in registry install metadata.
Credentials
Access to PRIVACY_API_KEY (and the CLI's ~/.privacy/config) is directly required for the skill's functionality, so the secret itself is proportionate. However, the registry metadata does not declare the PRIVACY_API_KEY or required binaries — the omission makes it unclear to users and platform permission systems what secrets/binaries the skill will use. The skill also allows retrieval of very sensitive PAN data (appropriately gated by a confirmed user prompt).
Persistence & Privilege
The skill is not forced-always, does not request persistent system-wide privileges, and does not modify other skills. Autonomous model invocation is enabled (the platform default) but not combined with other high-risk flags.
What to consider before installing
Before installing or enabling this skill: 1) Note the mismatch — SKILL.md requires PRIVACY_API_KEY, npm/node, and the privacy CLI, but the registry metadata does not declare these. Ask the publisher to correct metadata so you (and the platform) can make an informed permission decision. 2) Treat PRIVACY_API_KEY as highly sensitive: only set it in environments you control, and avoid exposing it to agents you don't trust. 3) The skill may cause you (or the agent) to install a global npm package — installing from npm runs third-party code, so prefer installing manually and verifying the package (@privacy-com/privacy-cli) is the official one. 4) The skill can retrieve full PAN data; follow the SKILL.md guidance: require explicit user confirmation and never persist PANs to disk or logs. 5) If you want to limit risk, restrict the agent's ability to invoke this skill autonomously (or require manual approval) and verify that the agent/platform will not expose ~/.privacy/config or other credentials without your consent. 6) If you need higher assurance, ask the maintainer for an install spec and for registry metadata to accurately list required env vars and binaries.Like a lobster shell, security has layers — review code before you run it.
latestvk976x7j4cxtk8c8tk2kgb14qs1846k9x
License
MIT-0
Free to use, modify, and redistribute. No attribution required.