ClawHub

AgentRef

v1.0.1

Use AgentRef's REST API from OpenClaw or any HTTP runtime for merchant onboarding, programs, affiliates, conversions, flags, and payouts; authenticate with A...

0· 65·0 current·0 all-time
byLukas van Uden@lukasvanuden
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description and required items align: the skill targets AgentRef REST usage and only requests AGENTREF_API_KEY. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md limits actions to AgentRef endpoints in the bundled references, mandates GET /api/v1/me first, prefers safe reads, and requires explicit confirmation for writes. It does not instruct reading local files, other env vars, or contacting unexpected external endpoints.
Install Mechanism
Instruction-only skill with no install spec or code to write to disk; lowest install risk.
Credentials
Only AGENTREF_API_KEY is required and declared as the primary credential. The SKILL.md explicitly recommends using a dedicated, least-privilege key which is appropriate for the features exposed.
Persistence & Privilege
always:false and no install actions or modifications to other skills; the skill does not request permanent elevated presence or cross-skill config changes. Note: autonomous invocation (model calls the skill) is allowed by default but is expected for skills and not flagged here.
Assessment
This skill appears coherent and limited to calling AgentRef's REST API. Before installing: (1) provide a dedicated AgentRef API key with the minimum scopes needed (read-only if you only want inspection); (2) be cautious granting write-capable scopes (payouts, blocking affiliates, onboarding completion) because those have real business impact—the skill asks for confirmation before writes, but you should verify intent; (3) there is no installable code, so the main risk is the API key itself—treat it like other service credentials. If you need the agent to act autonomously with high-impact write permissions, consider restricting the key or requiring manual approval for those actions.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cegtksttjkydrdhhndr9p6d8499d3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvAGENTREF_API_KEY
Primary envAGENTREF_API_KEY

Comments