Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Lap Adyen Stored Value Api
v1.0.0Adyen Stored Value API skill. Use when working with Adyen Stored Value for changeStatus, checkBalance, issue. Covers 6 endpoints.
⭐ 0· 13·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description match the listed endpoints and the declared required env var (ADYEN_STORED_VALUE_API_KEY) is appropriate for an Adyen integration. The base URL points at Adyen's test host (pal-test.adyen.com), which is coherent for testing but the skill does not state explicitly that it targets a test environment.
Instruction Scope
SKILL.md tells the agent to 'Set Authorization header with your Bearer token' while the metadata and auth section also reference an ApiKey (X-API-Key). This is a direct contradiction: it's unclear whether calls should use X-API-Key or an Authorization: Bearer token. The instructions also reference a local file (references/api-spec.lap) and npx commands to fetch the spec—these are fine as examples but could lead to running npx (which downloads/executes code) if followed. There is no instruction to read unrelated files or environment variables.
Install Mechanism
Instruction-only skill with no install spec and no code files. There is no package download or filesystem installation specified in the skill itself (lowest installation risk). The CLI examples use npx, but that's an optional example rather than an automated install step.
Credentials
The skill requires a single environment variable ADYEN_STORED_VALUE_API_KEY, which is appropriate. However, the instructions ask for a Bearer token in the Authorization header, creating mismatch between declared required env var and the runtime auth guidance—this could cause misuse (e.g., supplying the wrong credential).
Persistence & Privilege
No elevated privileges requested, always:false, no config paths, and the skill is user-invocable. It does not request permanent presence or modify other skills.
What to consider before installing
This skill appears to implement Adyen Stored Value endpoints and only asks for a single API key env var, which is reasonable — but the SKILL.md is ambiguous about authentication: it mentions both X-API-Key and 'Authorization: Bearer' and even instructs to 'Set Authorization header with your Bearer token'. Before installing or using it, confirm which credential Adyen expects for Stored Value in your environment (X-API-Key vs Bearer token) and update the skill or your usage accordingly. Also note the base URL in the skill points to Adyen's test host (pal-test.adyen.com) — verify whether you intend to use test or production endpoints and do not supply production credentials until that is clarified. If you plan to run the provided npx examples, be aware npx fetches packages from npm at runtime; only run them if you trust the package source. If the skill came from an unknown author, ask for provenance or a link to the official API spec (or compare this SKILL.md to Adyen's official docs) — resolving the auth mismatch and confirming the intended environment would likely move this from 'suspicious' to 'benign.'Like a lobster shell, security has layers — review code before you run it.
latestvk97c5yy0q8ds9ta6brrgr2ktad84a140
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvADYEN_STORED_VALUE_API_KEY