ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Lap Account Api

v1.0.0

Account API skill. Use when working with Account for custom_policy, fulfillment_policy, payment_policy. Covers 36 endpoints.

0· 78·1 current·1 all-time
by@mickmicksh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description match the documented endpoints (Account API for policies). However the declared required environment variable (ACCOUNT_API_KEY) is not consistent with the SKILL.md which specifies OAuth2 for authentication — requesting an API key is unexpected for an OAuth2-only eBay API skill.
Instruction Scope
SKILL.md is an instruction-only API reference that stays within the Account API domain and lists endpoints and basic steps (configure OAuth2, call endpoints). It does not instruct reading unrelated files or exfiltrating data. However it is vague about how to obtain/provide OAuth2 credentials and does not reference the declared ACCOUNT_API_KEY variable anywhere in the visible instructions.
Install Mechanism
No install spec or code files — instruction-only skill, so it does not download or install binaries.
!
Credentials
Only ACCOUNT_API_KEY is required according to metadata, but eBay Sell Account APIs use OAuth2 tokens. The credential name and the lack of a primary credential declaration are not justified by the SKILL.md. This mismatch raises the risk that the skill will ask for/stores a credential that doesn't match the documented auth flow or expects a long-lived token presented as an API key.
Persistence & Privilege
always is false and there are no install scripts or config paths. The skill does not request persistent platform privileges.
What to consider before installing
This skill appears to be a documentation-style integration for the eBay Sell Account API and is instruction-only (no installers). However, the metadata requires ACCOUNT_API_KEY while the SKILL.md says the API uses OAuth2. Before installing or providing credentials: 1) Confirm with the skill author what credential to supply (OAuth2 access/refresh token vs an API key) and how it will be used/stored. 2) Do not hand over unrelated secrets (AWS keys, GitHub tokens, etc.). 3) If the skill expects an OAuth2 token, prefer giving short-lived tokens or use an OAuth flow that you control; avoid pasting long-lived secrets into third-party skills. 4) Because the instructions are vague about obtaining/refreshing tokens, treat credential handling as a potential risk until clarified.

Like a lobster shell, security has layers — review code before you run it.

latestvk977q927kbj4kazjvch2cezk0583f2vw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvACCOUNT_API_KEY

Comments