ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawver Orders

v1.0.3

Manage Clawver orders. List orders, track status, process refunds, generate download links. Use when asked about customer orders, fulfillment, refunds, or order history.

0· 1.5k·3 current·3 all-time
by@nwang783
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (manage orders, refunds, downloads) align with the single required env var CLAW_API_KEY and the documented API endpoints on api.clawver.store — the credential is appropriate and expected.
Instruction Scope
Instructions are limited to calling Clawver API endpoints and providing webhook examples; they do not instruct reading of unrelated files or env vars. Note: a few example endpoints (e.g., checkout receipt) are shown without an Authorization header — this may be intentional (public receipt) but you should verify which endpoints are public vs. owner-only before sending keys.
Install Mechanism
Instruction-only skill with no install steps and no code files — nothing is written to disk or executed by an installer, which minimizes risk.
Credentials
Only CLAW_API_KEY is required and declared as the primary credential; no other tokens, keys, or config paths are requested, which is proportionate for an orders API integration.
Persistence & Privilege
always:false and default invocation settings are used; the skill does not request permanent platform presence or to modify other skills or system-wide configuration.
Assessment
This skill appears coherent and limited to calling the Clawver orders API. Before installing, verify: (1) the CLAW_API_KEY permissions and rotate it if possible (use least privilege), (2) which endpoints are public so you don't accidentally expose private data (some examples show no Authorization header), (3) use HTTPS and strong webhook secrets and verify signatures on incoming webhooks, and (4) prefer testing in a staging store first. Also note the SKILL.md version (1.3.0) differs from the registry version (1.0.3) — ask the publisher to confirm you have the correct/current documentation if that matters to you.

Like a lobster shell, security has layers — review code before you run it.

latestvk973245wnzj0y7yxtv3yfmrten813jmz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📦 Clawdis
EnvCLAW_API_KEY
Primary envCLAW_API_KEY

Comments