Clovercli
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a Clover POS CLI helper, but it asks users to trust an external package with broad business-account credentials and sensitive POS operations that are not declared in the skill metadata.
Install only if you trust the external Clover CLI package and are comfortable giving it access to your POS account. Use a least-privilege Clover token, avoid storing long-lived tokens in ~/.bashrc, confirm any create/delete/raw API action before running it, and ignore or remove the embedded known-client merchant ID.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and used, the agent or CLI may be able to access sensitive Clover business data under the user's account token.
The skill requires Clover account credentials, while the registry metadata declares no required environment variables or primary credential. Those credentials can authorize access to merchant POS data and account actions.
export CLOVER_ACCESS_TOKEN="your-token" export CLOVER_MERCHANT_ID="your-merchant-id"
Declare the credential requirements in metadata, document the needed token scopes, prefer least-privilege/read-only tokens where possible, and avoid storing long-lived tokens in shell startup files.
A mistaken or overly autonomous use could change merchant discounts or query arbitrary Clover API paths under the configured token.
The skill documents account-changing commands and a raw API endpoint interface, but does not define approval requirements, endpoint limits, or rollback guidance for high-impact operations.
clovercli discounts create --name "10% Off" --percentage 10
clovercli discounts delete <id>
...
clovercli api get '/v3/merchants/{mId}/tax_rates'Require explicit user confirmation before create/delete/raw API operations, keep read-only reporting as the default, and document safe operating boundaries.
The user must trust the external package with the configured Clover token.
Installing a CLI package is expected for this purpose, but the reviewed artifact set contains no install spec or package code, so the external npm/GitHub code is outside this review.
npm i -g @versatly/clovercli ... git clone https://github.com/Versatly/clovercli.git cd clovercli && npm install && npm run build
Verify the npm/GitHub package, pin a reviewed version, and include an install spec or reviewed source files in the skill package.
A user or agent could accidentally target a merchant ID that is not theirs, and the documentation exposes client-specific business context.
A generic Clover CLI skill includes a specific client merchant ID and personal note, which is unnecessary for the stated purpose and may confuse account boundaries.
| REMEMBR | 6KF70H0B6E041 | Mauricio's Brazilian restaurant (Pedro's dad) |
Remove client-specific merchant IDs and personal notes; require each user to provide only their own merchant ID.