ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Lap Adyen Test Cards Api

v1.0.0

Adyen Test Cards API skill. Use when working with Adyen Test Cards for createTestCardRanges. Covers 1 endpoint.

0· 46·0 current·0 all-time
by@mickmicksh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and required env var (ADYEN_TEST_CARDS_API_KEY) align with a small API integration for Adyen test cards and the base URL is the Adyen test endpoint. This is proportional to the stated single-endpoint purpose.
!
Instruction Scope
The SKILL.md's auth guidance is inconsistent: it lists both 'ApiKey X-API-Key in header' and 'Bearer', then tells the user to 'Set Authorization header with your Bearer token'. The document also says 'Bearer basic' (mixed terms). This ambiguity could cause the agent to send the wrong credential header. The instructions otherwise do not request unrelated files, paths, or extra environment secrets.
Install Mechanism
No install spec or code files are present (lower risk). However the CLI examples call 'npx @lap-platform/lapsh', which would fetch and run a package from npm if executed — this is optional documentation but could run remote code if the agent or user follows it. The skill metadata does not declare Node/npm as a required binary, creating a mild mismatch.
Credentials
Only one env var is declared (ADYEN_TEST_CARDS_API_KEY), which is reasonable for an API integration. The main concern is that the SKILL.md asks for a 'Bearer token' while the declared env var name implies an API key (X-API-Key); the discrepancy should be clarified before supplying credentials. Do not provide production Adyen credentials to a test-only tool unless you understand which environment is targeted.
Persistence & Privilege
The skill is instruction-only, has no install, and is not always-enabled. It does not request system-wide config changes or persistent privileges.
What to consider before installing
This skill is small and generally matches its purpose (calling Adyen test-card endpoint), but the authentication instructions are inconsistent. Before installing or using it: 1) Confirm whether the API expects an X-API-Key header or a Bearer token for this endpoint (check Adyen docs or your account's test credentials). 2) Only set ADYEN_TEST_CARDS_API_KEY to a test-key for the Adyen test environment — avoid supplying production account secrets. 3) Be cautious if you run the provided 'npx' commands: npx will download and run packages from npm. If you plan to execute those commands, review the package source first or run them in an isolated environment. If the developer can clarify the exact auth header required and remove the mixed 'Bearer/basic' wording, the remaining issues are minor.

Like a lobster shell, security has layers — review code before you run it.

latestvk974v1hk2aqar95dx9r8wpc3x184av43

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvADYEN_TEST_CARDS_API_KEY

Comments