WOL catering api
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its catering API purpose, but it can place orders that affect your account without an explicit confirmation and may expose your API token.
Before installing, make sure you are comfortable giving this skill access to your WOL catering account. Only use it if it confirms the exact order and total price before submitting, and avoid printing or pasting your API token where it may be logged.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could place an unintended catering order or create a balance owed if it misreads the user's request or product IDs.
The skill directs the agent to create an order through the API and defaults missing quantities to 1, but it does not require a final confirmation before submitting an account-affecting purchase.
Parse items from `$ARGUMENTS` ... Assume a quantity of 1 ... Build the JSON body and POST: `curl -s -X POST ... "$BASE_URL/api/v1/catering/orders"`
Require an explicit confirmation step showing product IDs, names, quantities, and total price before sending the POST request.
Anyone who can see the agent transcript or shell output might obtain the API token and use the user's catering account.
The API token is expected for this integration, but echoing it can expose the secret in terminal output, transcripts, or logs; asking users to paste it also needs careful handling.
Run these two shell commands to check for environment variables: `echo "${WOL_API_TOKEN}"` ... If `WOL_API_TOKEN` is empty, ask the user: "Please paste your API token..."Do not print the token. Check only whether it is set, redact any displayed value, and prefer secure environment configuration over pasting secrets into chat.