Personal Client Management System & Finance System

The skill is classified as suspicious due to the `scripts/api.js` file, which allows arbitrary API calls (method, endpoint, body) to the configured `apiBaseUrl` (defaulting to `https://api.ourproject.app/api`) using the user's API key. This capability, explicitly documented in `SKILL.md` under 'API Query (Advanced)', creates a significant prompt injection vulnerability. An attacker could craft a prompt to the OpenClaw agent, instructing it to execute `node scripts/api.js` with malicious arguments, leading to unauthorized actions within the user's `ourproject.app` account. While the script does not allow requests to arbitrary external domains, the broad control over the `ourproject.app` API constitutes a high risk.