ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Lap Adyen Data Protection Api

v1.0.0

Adyen Data Protection API skill. Use when working with Adyen Data Protection for requestSubjectErasure. Covers 1 endpoint.

0· 44·0 current·0 all-time
by@mickmicksh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and declared environment variable (ADYEN_DATA_PROTECTION_API_KEY) align with an Adyen Data Protection API skill for requestSubjectErasure. The base URL is the Adyen test endpoint (ca-test.adyen.com), which is plausible for a test integration.
!
Instruction Scope
SKILL.md instructs only to POST /requestSubjectErasure and to set an Authorization header, but the doc is inconsistent: it lists both "ApiKey X-API-Key in header" and "Set Authorization header with your Bearer token." That conflict means the instructions could cause the agent to send the wrong credential type. The doc also suggests running npx @lap-platform/lapsh commands (external CLI usage) with no install spec or guarantee that lapsh is available.
Install Mechanism
Instruction-only skill with no install steps or packages — lowest-risk install footprint. However, the instructions reference running npx/lapsh which are not provided by the skill and may fail or lead the agent to attempt installing external tooling.
!
Credentials
Only a single env var (ADYEN_DATA_PROTECTION_API_KEY) is declared, which is proportionate for an API integration. The concern is that the SKILL.md's auth guidance doesn't clearly map to that env var (X-API-Key header vs Bearer token), so it's unclear what credential you'll actually be giving the agent or how it will be used.
Persistence & Privilege
Skill is not always-enabled and is user-invocable; it does not request unusual privileges or system config paths. Autonomous invocation is allowed (platform default) but not combined with other high-risk flags here.
What to consider before installing
This skill mostly matches its stated purpose (calling Adyen's requestSubjectErasure endpoint) but the documentation is inconsistent about authentication. Before installing or supplying credentials: 1) Confirm whether the API expects an X-API-Key header or a Bearer token and update the skill or your usage accordingly. 2) Prefer using a test/sandbox API key (the base URL is a test host) — do not supply production secrets until the auth method is clarified. 3) Be aware the SKILL.md suggests running npx/lapsh commands; the skill doesn't install that tooling, so the agent might try to run or install it. 4) If you accept this skill, monitor outgoing requests and limit the credential scope (use least-privilege/test keys). If the source of the skill is unknown or you cannot clarify the auth mismatch, avoid providing sensitive keys.

Like a lobster shell, security has layers — review code before you run it.

latestvk97129qmdpd03m95fvx5b194xs84a2m3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvADYEN_DATA_PROTECTION_API_KEY

Comments