ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Lap Adyen Checkout Api

v1.0.0

Adyen Checkout API skill. Use when working with Adyen Checkout for applePay, cancels, cardDetails. Covers 28 endpoints.

0· 14·0 current·0 all-time
by@mickmicksh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchasesRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and the single required env var (ADYEN_CHECKOUT_API_KEY) align with an Adyen Checkout API helper. However, the SKILL.md is inconsistent about authentication: the top notes 'ApiKey X-API-Key in header | Bearer basic' while the Setup step instructs 'Set Authorization header with your Bearer token'. That inconsistency could lead to misuse of credentials or confusion about which secret is expected.
Instruction Scope
The instructions are narrowly scoped to calling Adyen endpoints and mapping user intents to endpoints. They reference a local spec file (references/api-spec.lap) for schemas and suggest using the lapsh CLI (npx @lap-platform/lapsh) to fetch/update the spec. The referenced file is not included in the package, so the agent may attempt network access (via npx) or operate with incomplete schema info. There are no instructions to read unrelated system files or exfiltrate data.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk by the skill bundle itself. This is low-risk from an install perspective.
Credentials
Only one env var is required (ADYEN_CHECKOUT_API_KEY), which is proportional for an API client. The only concern is the auth mismatch in the docs (API key header vs. Bearer token), which could cause the agent or user to expose or misuse credentials (e.g., supplying a bearer token where an API key is expected).
Persistence & Privilege
always is false and there are no install hooks or indications the skill modifies other skills or system-wide settings. The skill can be invoked autonomously (default), which is normal; this is not in itself a red flag here.
What to consider before installing
What to consider before installing: - The skill is instruction-only and appears designed to call Adyen Checkout endpoints; requiring ADYEN_CHECKOUT_API_KEY is reasonable. However, its docs contradict themselves about how to authenticate (X-API-Key header vs Authorization: Bearer). Clarify which header your system should use before supplying credentials. - The SKILL.md references references/api-spec.lap (not included) and suggests running 'npx @lap-platform/lapsh', which would reach external networks. If you allow the agent to run those commands, it could fetch or update specs from the network — be cautious and prefer running such commands yourself. - Avoid giving a high-privilege or production API key to this skill until you confirm the expected auth method and behaviour. Use a scoped/test key if possible (the base URL in the doc is the Adyen test endpoint). Rotate keys after testing. - The bundle does not install software or write files itself, lowering install risk. Still verify logs or agent activity to ensure it only calls Adyen endpoints and does not attempt to access other secrets or local files. - If you need higher confidence, ask the publisher for the complete api-spec.lap or a code-backed client, and confirm which header (X-API-Key or Authorization) the skill will set when calling endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk9740sva2tqqwk7wsvbystfsbh84bt5a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvADYEN_CHECKOUT_API_KEY

Comments