ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Lap Adyen Payout Api

v1.0.0

Adyen Payout API skill. Use when working with Adyen Payout for confirmThirdParty, declineThirdParty, payout. Covers 6 endpoints.

0· 13·0 current·0 all-time
by@mickmicksh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and listed endpoints align with an Adyen Payout API wrapper for the v68 pal-test endpoint; requiring an ADYEN_PAYOUT_API_KEY is plausible. However the doc alternates between API key (X-API-Key) and Bearer token semantics, creating ambiguity about the actual credential type the skill needs.
!
Instruction Scope
SKILL.md is instruction-only and does not attempt to read unrelated system files, but it contains conflicting auth guidance: metadata requires ADYEN_PAYOUT_API_KEY, the Auth section says 'ApiKey X-API-Key in header | Bearer basic', and the Setup section says 'Set Authorization header with your Bearer token'. The skill also references a local file (references/api-spec.lap) and suggests running npx @lap-platform/lapsh — these are examples but could prompt an agent to run network/npm commands if it follows the README literally.
Install Mechanism
No install spec and no code files—lowest-risk instruction-only skill. There is no packaged download or archive that would write code to disk.
Credentials
Only ADYEN_PAYOUT_API_KEY is required which is proportionate for an API skill. However the naming suggests an API key while parts of the doc ask for a Bearer token; this ambiguity could lead to providing the wrong secret (e.g., a production key) or the agent trying multiple auth methods.
Persistence & Privilege
always is false, no config paths requested, and the skill is user-invocable only. It does not request persistent system presence or modify other skills' configs.
What to consider before installing
This skill appears to implement Adyen Payout endpoints for the Adyen test PAL URL and only asks for a single environment variable, which is reasonable — but there are small yet important inconsistencies you should resolve before installing: - Confirm the correct auth method: does your integration need an X-API-Key header (ADYEN_PAYOUT_API_KEY) or a Bearer token? The SKILL.md mixes both. Provide only a test-scoped credential, not a production key, until you verify. - Verify the base URL (pal-test.adyen.com) matches your intended environment (test vs live) so you don't accidentally use production credentials. - The README references a local spec (references/api-spec.lap) and npx @lap-platform/lapsh commands — these are optional developer utilities but could cause an agent to execute npm commands if it follows instructions. Only run those commands in a safe environment and review what they download. - Principle of least privilege: if possible, create a key limited to payout operations and to the test environment, and rotate it after use. If the author can clarify the auth flow (exact header name and whether a Bearer token is required) and remove/clarify the npx instructions, this would move the skill from 'suspicious' to 'benign'.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ak9exyak92sh0mrwqwrh33s84ans4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvADYEN_PAYOUT_API_KEY

Comments