ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Lap Account And Transaction Api Specification

Account and Transaction API Specification API skill. Use when working with Account and Transaction API Specification for account-access-consents, accounts, b...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 18 · 0 current installs · 0 all-time installs
by@mickmicksh
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, and listed endpoints are consistent with an Account & Transaction (Open Banking) API reference; requesting a single API credential named ACCOUNT_AND_TRANSACTION_API_SPECIFICATION_API_KEY is plausible for an API integration. However, the SKILL.md repeatedly references OAuth2 as the auth method while the declared required environment variable is an API key, which is an incoherence between stated auth and declared credential.
Instruction Scope
SKILL.md is instruction-only and mainly maps user questions to endpoint paths (expected for a spec helper). It does not instruct the agent to read unrelated system files or secret stores. It is vague about how to perform authentication (just 'Configure auth: OAuth2 | OAuth2') and refers to references/api-spec.lap for full details (that file is not included), which leaves the agent discretion to obtain missing auth or spec information — a scope gap that could lead to unexpected behavior.
Install Mechanism
No install steps or code are present (instruction-only), so nothing is downloaded or written to disk. This minimizes installation risk.
Credentials
Only one environment variable is required, which is proportionate for an API client. The concern is the mismatch: SKILL.md expects OAuth2 but the only declared secret is an API key. It's unclear whether the API key is actually used, or whether the agent will attempt to obtain OAuth tokens by other means. primaryEnv is unset, which is unusual but not dangerous by itself.
Persistence & Privilege
always is false and the skill does not request elevated or persistent system-wide privileges. Autonomous invocation is allowed (platform default) but not combined with other high-risk indicators here.
What to consider before installing
This skill appears to be an instruction-only reference for an Open Banking Account & Transaction API and asks for a single API credential. Before installing: 1) verify the source/trustworthiness (homepage is missing and owner ID is unfamiliar); 2) clarify the authentication method — the README says OAuth2 but the skill requests an API key, so confirm whether you should provide an API key or an OAuth client/token (providing the wrong secret could expose sensitive credentials to the skill); 3) ensure you only provide a scoped, revocable credential (not long-lived high-privilege keys); and 4) be aware the skill may need the missing references/api-spec.lap or an OAuth flow to function, which could require additional configuration. If you cannot verify the origin or resolve the auth mismatch, treat installation as higher risk.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97b7zd34rvx8p4bnsbptdxtt18300kt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvACCOUNT_AND_TRANSACTION_API_SPECIFICATION_API_KEY

SKILL.md

Account and Transaction API Specification

API version: 4.0.0

Auth

OAuth2 | OAuth2

Base URL

/open-banking/v4.0/aisp

Setup

  1. Configure auth: OAuth2 | OAuth2
  2. GET /accounts -- verify access
  3. POST /account-access-consents -- create first account-access-consents

Endpoints

29 endpoints across 12 groups. See references/api-spec.lap for full details.

account-access-consents

MethodPathDescription
POST/account-access-consentsCreate Account Access Consents
GET/account-access-consents/{ConsentId}Get Account Access Consents
DELETE/account-access-consents/{ConsentId}Delete Account Access Consents

accounts

MethodPathDescription
GET/accountsGet Accounts
GET/accounts/{AccountId}Get Accounts
GET/accounts/{AccountId}/balancesGet Balances
GET/accounts/{AccountId}/beneficiariesGet Beneficiaries
GET/accounts/{AccountId}/direct-debitsGet Direct Debits
GET/accounts/{AccountId}/offersGet Offers
GET/accounts/{AccountId}/partiesGet Parties
GET/accounts/{AccountId}/partyGet Parties
GET/accounts/{AccountId}/productGet Products
GET/accounts/{AccountId}/scheduled-paymentsGet Scheduled Payments
GET/accounts/{AccountId}/standing-ordersGet Standing Orders
GET/accounts/{AccountId}/statementsGet Statements
GET/accounts/{AccountId}/statements/{StatementId}Get Statements
GET/accounts/{AccountId}/statements/{StatementId}/fileGet Statements
GET/accounts/{AccountId}/statements/{StatementId}/transactionsGet Transactions
GET/accounts/{AccountId}/transactionsGet Transactions

balances

MethodPathDescription
GET/balancesGet Balances

beneficiaries

MethodPathDescription
GET/beneficiariesGet Beneficiaries

direct-debits

MethodPathDescription
GET/direct-debitsGet Direct Debits

offers

MethodPathDescription
GET/offersGet Offers

party

MethodPathDescription
GET/partyGet Parties

products

MethodPathDescription
GET/productsGet Products

scheduled-payments

MethodPathDescription
GET/scheduled-paymentsGet Scheduled Payments

standing-orders

MethodPathDescription
GET/standing-ordersGet Standing Orders

statements

MethodPathDescription
GET/statementsGet Statements

transactions

MethodPathDescription
GET/transactionsGet Transactions

Common Questions

Match user requests to endpoints in references/api-spec.lap. Key patterns:

  • "Create a account-access-consent?" -> POST /account-access-consents
  • "Get account-access-consent details?" -> GET /account-access-consents/{ConsentId}
  • "Delete a account-access-consent?" -> DELETE /account-access-consents/{ConsentId}
  • "List all accounts?" -> GET /accounts
  • "Get account details?" -> GET /accounts/{AccountId}
  • "List all balances?" -> GET /accounts/{AccountId}/balances
  • "List all beneficiaries?" -> GET /accounts/{AccountId}/beneficiaries
  • "List all direct-debits?" -> GET /accounts/{AccountId}/direct-debits
  • "List all offers?" -> GET /accounts/{AccountId}/offers
  • "List all parties?" -> GET /accounts/{AccountId}/parties
  • "List all party?" -> GET /accounts/{AccountId}/party
  • "List all product?" -> GET /accounts/{AccountId}/product
  • "List all scheduled-payments?" -> GET /accounts/{AccountId}/scheduled-payments
  • "List all standing-orders?" -> GET /accounts/{AccountId}/standing-orders
  • "List all statements?" -> GET /accounts/{AccountId}/statements
  • "Get statement details?" -> GET /accounts/{AccountId}/statements/{StatementId}
  • "List all file?" -> GET /accounts/{AccountId}/statements/{StatementId}/file
  • "List all transactions?" -> GET /accounts/{AccountId}/statements/{StatementId}/transactions
  • "List all transactions?" -> GET /accounts/{AccountId}/transactions
  • "List all balances?" -> GET /balances
  • "List all beneficiaries?" -> GET /beneficiaries
  • "List all direct-debits?" -> GET /direct-debits
  • "List all offers?" -> GET /offers
  • "List all party?" -> GET /party
  • "List all products?" -> GET /products
  • "List all scheduled-payments?" -> GET /scheduled-payments
  • "List all standing-orders?" -> GET /standing-orders
  • "List all statements?" -> GET /statements
  • "List all transactions?" -> GET /transactions
  • "How to authenticate?" -> See Auth section

Response Tips

  • Check response schemas in references/api-spec.lap for field details
  • Create/update endpoints typically return the created/updated object

References

  • Full spec: See references/api-spec.lap for complete endpoint details, parameter tables, and response schemas

Generated from the official API spec by LAP

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…