ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Lap Altoroj Rest Api

v1.0.0

AltoroJ REST API skill. Use when working with AltoroJ REST for login, account, transfer. Covers 12 endpoints.

0· 31·0 current·0 all-time
by@mickmicksh

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for mickmicksh/lap-altoroj-rest-api.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Lap Altoroj Rest Api" (mickmicksh/lap-altoroj-rest-api) from ClawHub.
Skill page: https://clawhub.ai/mickmicksh/lap-altoroj-rest-api
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: ALTOROJ_REST_API_KEY
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install lap-altoroj-rest-api

ClawHub CLI

Package manager switcher

npx clawhub@latest install lap-altoroj-rest-api
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (AltoroJ REST for login/account/transfer) align with requiring an API key (ALTOROJ_REST_API_KEY). However the SKILL.md does not include a base URL or the referenced API spec (references/api-spec.lap) inside the skill bundle, which prevents the agent from calling endpoints directly. Lack of homepage/source provenance is also a gap for a banking-related skill.
!
Instruction Scope
Runtime instructions are narrowly focused on calling the listed endpoints and setting the API key header, which is expected. But the doc explicitly tells the user/agent to run npx @lap-platform/lapsh to fetch the API spec; that instructs execution of remote code and implicitly trusts an external npm package. The skill does not include the spec it references, so the agent is guided to pull code from the network to get necessary details.
Install Mechanism
No install spec is present (instruction-only), which is low-risk in itself. However the included CLI examples advise running npx to fetch the API spec; npx executes a package from the npm registry (or remote) and can run arbitrary code. The skill does not supply or pin a specific trusted source/URL for the spec, increasing risk if the agent follows that advice.
Credentials
Only one environment variable (ALTOROJ_REST_API_KEY) is required, which is proportionate for an API client. Still, this is a sensitive credential (bank API key) and should be scoped and protected; the package provides no guidance about key scope, rotation, or least privilege.
Persistence & Privilege
The skill does not request always:true, does not include install hooks, and is instruction-only. It does not request persistent system-wide privileges. Autonomous invocation is allowed by platform default but not exceptional here.
What to consider before installing
This skill appears to describe a legitimate AltoroJ REST API and only asks for one API key, but there are notable gaps and small risks you should address before installing or running it: - Missing base URL and missing API spec: ask the publisher or vendor for the exact base URL and the full API spec (references/api-spec.lap). Without those, the agent cannot safely form requests. - Unknown provenance: there is no homepage or source repository. Prefer skills published by a known/verified source for anything that touches banking APIs. - npx / remote code execution: the SKILL.md suggests using 'npx @lap-platform/lapsh' to fetch the spec. Running npx will execute remote code from npm; only run this after inspecting the package (review its code and maintainers) or obtain the spec from a trusted local copy. - Protect the API key: only provide ALTOROJ_REST_API_KEY if you trust the skill and the runtime environment. Ensure the key has minimal permissions and can be revoked/rotated. If the publisher can provide the base URL and embed the API spec in the skill bundle (or point to a verified, reviewable source), and if you confirm the npm package referenced is trustworthy, the remaining concerns would be reduced.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

EnvALTOROJ_REST_API_KEY
latestvk978856az18792zfcj86a0x1sh85nwr2
31downloads
0stars
1versions
Updated 20h ago
v1.0.0
MIT-0
@mickmicksh
latest
Download

AltoroJ REST API

API version: 1.0.2

Auth

ApiKey Authorization in header

Base URL

Not specified.

Setup

  1. Set your API key in the appropriate header
  2. GET /login -- verify access
  3. POST /login -- create first login

Endpoints

12 endpoints across 6 groups. See references/api-spec.lap for full details.

login

MethodPathDescription
GET/loginCheck if any user is logged in
POST/loginLogin method

account

MethodPathDescription
GET/accountReturns a list of all the accounts owned by the user
GET/account/{accountNo}Returns details about a specific account
GET/account/{accountNo}/transactionsReturns the last 10 transactions attached to an account
POST/account/{accountNo}/transactionsReturn transactions between 2 specific dates

transfer

MethodPathDescription
POST/transferTransfer money between two accounts

feedback

MethodPathDescription
POST/feedback/submitSubmit feedback for the bank
GET/feedback/{feedbackId}Retrieve feedback

admin

MethodPathDescription
POST/admin/addUserAdd new user
POST/admin/changePasswordChange user password

logout

MethodPathDescription
GET/logoutLogout from the bank

Common Questions

Match user requests to endpoints in references/api-spec.lap. Key patterns:

  • "List all login?" -> GET /login
  • "Create a login?" -> POST /login
  • "List all account?" -> GET /account
  • "Get account details?" -> GET /account/{accountNo}
  • "List all transactions?" -> GET /account/{accountNo}/transactions
  • "Create a transaction?" -> POST /account/{accountNo}/transactions
  • "Create a transfer?" -> POST /transfer
  • "Create a submit?" -> POST /feedback/submit
  • "Get feedback details?" -> GET /feedback/{feedbackId}
  • "Create a addUser?" -> POST /admin/addUser
  • "Create a changePassword?" -> POST /admin/changePassword
  • "List all logout?" -> GET /logout
  • "How to authenticate?" -> See Auth section

Response Tips

  • Check response schemas in references/api-spec.lap for field details
  • Create/update endpoints typically return the created/updated object

CLI

# Update this spec to the latest version
npx @lap-platform/lapsh get altoroj-rest-api -o references/api-spec.lap

# Search for related APIs
npx @lap-platform/lapsh search altoroj-rest-api

References

  • Full spec: See references/api-spec.lap for complete endpoint details, parameter tables, and response schemas

Generated from the official API spec by LAP

Comments

Loading comments...