WOL catering api
AdvisoryAudited by Static analysis on May 9, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could place an unintended catering order or create a balance owed if it misreads the user's request or product IDs.
The skill directs the agent to create an order through the API and defaults missing quantities to 1, but it does not require a final confirmation before submitting an account-affecting purchase.
Parse items from `$ARGUMENTS` ... Assume a quantity of 1 ... Build the JSON body and POST: `curl -s -X POST ... "$BASE_URL/api/v1/catering/orders"`
Require an explicit confirmation step showing product IDs, names, quantities, and total price before sending the POST request.
Anyone who can see the agent transcript or shell output might obtain the API token and use the user's catering account.
The API token is expected for this integration, but echoing it can expose the secret in terminal output, transcripts, or logs; asking users to paste it also needs careful handling.
Run these two shell commands to check for environment variables: `echo "${WOL_API_TOKEN}"` ... If `WOL_API_TOKEN` is empty, ask the user: "Please paste your API token..."Do not print the token. Check only whether it is set, redact any displayed value, and prefer secure environment configuration over pasting secrets into chat.