ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Lap Advisormanagementclient

v1.0.0

AdvisorManagementClient API skill. Use when working with AdvisorManagementClient for providers, subscriptions, {resourceUri}. Covers 15 endpoints.

0· 42·1 current·1 all-time
by@mickmicksh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, base URL (management.azure.com), and listed endpoints align with Azure Advisor/AdvisorManagementClient and the claimed 15 endpoints — purpose is plausible and coherent with the endpoints provided.
!
Instruction Scope
SKILL.md explicitly requires configuring OAuth2 for auth and shows Azure management endpoints, which is appropriate, but it also references running 'npx @lap-platform/lapsh' in the CLI section (which will fetch code at runtime). The doc does not declare required binaries or explain the OAuth2 flow (tenant/client-id/secret or token exchange). The instructions are vague about how the agent should obtain and use credentials and implicitly encourage running external npx commands.
Install Mechanism
There is no install spec and no code files — lowest-risk form. However, instructions reference npx which would fetch a package on demand; that is not part of an install spec and should be noted by the user.
!
Credentials
The skill declares a single required env var ADVISORMANAGEMENTCLIENT_API_KEY, but the SKILL.md states OAuth2 auth (Azure typically requires OAuth2 tokens / service principal credentials: tenant, client id, client secret, or an access token). Requiring a single 'API_KEY' is inconsistent with OAuth2 and with typical Azure management auth, and no primary credential is declared. This mismatch could lead to users exposing inappropriate credentials or misconfiguring auth.
Persistence & Privilege
always is false and the skill is instruction-only with no install — it does not request permanent presence or elevated platform privileges.
What to consider before installing
Proceed with caution. The skill appears to target Azure Advisor endpoints, but the publisher is unknown and the auth instructions are inconsistent: SKILL.md says use OAuth2 (Azure AD / service principal flow), yet the declared required env var is ADVISORMANAGEMENTCLIENT_API_KEY. Before installing, ask the publisher to clarify the exact authentication method and the precise environment variables needed (tenant ID, client ID, client secret or a short-lived OAuth token are typical for Azure). Do not supply broad Azure credentials until you confirm the minimum required permissions (use a least-privilege service principal scoped to Advisor). Note that the README suggests running 'npx ...' (which will download code at runtime) — ensure you trust that package and that the agent's environment allows such network installs. If you cannot verify the source or correct credential requirements, treat this skill as risky and avoid installing it.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ern71h8b72hqnx7jsjnkr4s83wfhs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvADVISORMANAGEMENTCLIENT_API_KEY

Comments