Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's purpose is a bank API integration which legitimately requires a gateway URL, merchant ID, and signing secret/certificate. Those items appear only as empty placeholders in config.js (baseUrl, merch_id, signSecret) but the skill declares no required environment variables or configuration paths. That mismatch is unexpected and incoherent for a banking integration.
Instruction Scope
SKILL.md only describes API parameters (OpName, Query_Account, etc.) and does not explain how to supply credentials, how to configure the base URL, nor how to obtain or store signing material. Two code files (api.js, sign.js) are present but empty, leaving runtime behavior undefined. The agent might be expected to call external endpoints, but no endpoint or auth flow is provided.
Install Mechanism
No install spec is provided (instruction-only). This is low-risk from an installation perspective because nothing is downloaded or written by an installer.
Credentials
The skill requests no environment credentials in the metadata, yet config.js contains fields for sensitive values (merch_id, signSecret). Those fields are not declared or documented as required env vars — a red flag because sensitive bank credentials are involved but not handled or requested explicitly/securely.
Persistence & Privilege
The skill does not request always:true and uses default invocation settings. It does not appear to request elevated persistent privileges.
What to consider before installing
This skill is incomplete and should be treated with caution. It purports to connect to a bank but provides no endpoint or secure credential handling and includes empty code files and a config file with placeholder secrets (and a syntax issue in the signSecret line). Before installing or trusting this skill, ask the maintainer for: (1) a complete implementation (non-empty api/sign code), (2) explicit declaration of required environment variables or secure secret storage, (3) a valid baseUrl and documentation of the API endpoints, and (4) removal of obvious syntax errors and placeholder values. Do not paste real merchant IDs, signing secrets, or bank credentials into this skill's config until the issues are resolved and you verify the source. If you need, provide the full code or a link to the repository and I can re-evaluate.Like a lobster shell, security has layers — review code before you run it.
latestvk9749qs4szq5z7wyq9dr9zm3rh837tan
License
MIT-0
Free to use, modify, and redistribute. No attribution required.