Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared purpose (process payments) matches the idea of needing an API key, but the skill bundle contains no payment integration code or install steps. The SKILL.md expects a local script (scripts/payment_processor.py) that does not exist in the package, which is inconsistent with the claimed capability.
Instruction Scope
Runtime instructions tell the agent to run 'python3 scripts/payment_processor.py' and to read an environment variable PROCESS_API_KEY. Since there is no scripts/ directory or code file provided, the instructions are incomplete and could cause the agent or user to attempt to execute missing or externally fetched code. The SKILL.md references an env var that is not declared in the skill manifest.
Install Mechanism
No install mechanism is provided (instruction-only), which is low risk in itself. However, the lack of an install step combined with instructions that expect local code increases incoherence.
Credentials
The SKILL.md requires PROCESS_API_KEY, which is plausible for a payment integration, but the skill metadata declares no required env vars or primary credential. Requiring a payment API key without declaring it is a mismatch and should be clarified. Payment API keys are sensitive—their use should be explicit and minimal.
Persistence & Privilege
The skill does not request persistent inclusion (always:false) and does not modify other skills or system settings. No elevated persistence privileges are requested.
What to consider before installing
Do not install or enable this skill until the inconsistencies are resolved. Specifically: (1) ask the publisher for the missing code (scripts/payment_processor.py) or an install process—right now the skill has no executable logic; (2) require the manifest to explicitly declare PROCESS_API_KEY (and what service it is for), and verify the minimum privileges for that key; (3) request source/homepage and an auditable repository or release so you can inspect the payment integration (endpoints, TLS usage, where credentials are sent); (4) avoid pasting real payment API keys into a skill with unknown provenance—use test/sandbox keys until code is reviewed. These steps reduce risk and make the skill's behavior auditable.Like a lobster shell, security has layers — review code before you run it.
latestvk97b04hbtktks30bvep2avghrs83qv8t
License
MIT-0
Free to use, modify, and redistribute. No attribution required.