Wallapop Cli
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: wallapop-cli Version: 0.1.0 The skill bundle is benign. It provides instructions for using a `wallapop-cli` tool, detailing its commands and configuration. While it mentions `WALLAPOP_ACCESS_TOKEN` as an optional environment variable for the CLI tool, there are no instructions in `SKILL.md` for the AI agent to read, exfiltrate, or misuse this token. All commands specified are direct invocations of `wallapop`, and there are no signs of prompt injection, malicious execution, data exfiltration, or obfuscation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the separately installed CLI is from an untrusted or unexpected source, commands could behave differently than the skill documentation suggests.
The skill depends on an external CLI that is not included or installed by these artifacts, so the user must separately trust and verify that tool.
compatibility: Requires wallapop-cli installed (Node.js 18+), network access to api.wallapop.com
Install wallapop-cli only from a trusted source, verify its version and documentation, and be especially cautious before using it with an access token.
Providing a Wallapop access token may allow account-scoped API access through the CLI, even though the documented commands are read-oriented.
The skill discloses optional credential use for Wallapop non-search endpoints; this is purpose-aligned but gives the underlying CLI account-related authority.
Optional auth token for non-search endpoints: - `WALLAPOP_ACCESS_TOKEN`
Use the token only when necessary, keep it out of shared logs or prompts, and prefer a revocable or least-privileged token if Wallapop supports that.