ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Lap Aftermarket Api

v1.0.0

Aftermarket API skill. Use when working with Aftermarket for customers, aftermarket. Covers 3 endpoints.

0· 111·1 current·1 all-time
by@mickmicksh

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for mickmicksh/lap-aftermarket-api.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Lap Aftermarket Api" (mickmicksh/lap-aftermarket-api) from ClawHub.
Skill page: https://clawhub.ai/mickmicksh/lap-aftermarket-api
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install lap-aftermarket-api

ClawHub CLI

Package manager switcher

npx clawhub@latest install lap-aftermarket-api
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to target an Aftermarket API / GoDaddy Auctions endpoints, including DELETE and POST actions. However, it declares no base URL, no authentication, and no required binaries, which is unexpected for an API that appears to perform state-changing operations. The lack of declared dependencies (Node/npm or lapsh) is inconsistent with the CLI usage in the instructions.
!
Instruction Scope
SKILL.md instructs the agent to verify access (GET) and to create or remove listings (POST/DELETE) but gives no base URL or auth method. It references a local file (references/api-spec.lap) that is not included and provides npx commands that will fetch remote tooling. The presence of destructive endpoints (DELETE /v1/aftermarket/listings) without authentication details is particularly risky/incoherent.
Install Mechanism
There is no install spec (instruction-only), which is low risk by itself. However, the README encourages running npx @lap-platform/lapsh, which implies a Node/npm runtime and network access to install packages — yet the skill does not declare these requirements. That mismatch is an omission to be clarified.
!
Credentials
The skill declares no required environment variables or credentials and explicitly states "No authentication required." That is surprising for endpoints that modify auctions and likely require API credentials. The absence of any credential requirements is disproportionate and suggests the spec is incomplete or incorrect.
Persistence & Privilege
The skill does not request persistent presence (always:false) and does not claim to modify other skills or system-wide settings. It is user-invocable and allows autonomous invocation per platform defaults, which is normal.
What to consider before installing
Do not trust this skill as-is. Before installing or enabling it, ask the publisher for: (1) the API base URL(s) to be used; (2) explicit authentication requirements (API keys/OAuth) and how they are stored; (3) the references/api-spec.lap file or a link to the official API spec; (4) confirmation that destructive endpoints (DELETE, POST) require and enforce auth. Be aware that SKILL.md suggests running `npx @lap-platform/lapsh` — that will download/execute code from npm, so only run it if you trust the @lap-platform package. If you need this capability, prefer a version that: includes the base URL, documents auth and required env vars, lists required binaries (node/npm) or provides an audited install mechanism, and includes the referenced API spec file. If the publisher cannot supply those, treat the skill as incomplete and potentially unsafe.

Like a lobster shell, security has layers — review code before you run it.

latestvk976xjwkp5tfhg6kx93v03j99n85733p
111downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@mickmicksh
latest
Download

Aftermarket API

API version: 1.0.0

Auth

No authentication required.

Base URL

Not specified.

Setup

  1. No auth setup needed
  2. GET /v1/customers/{customerId}/auctions/listings -- verify access
  3. POST /v1/aftermarket/listings/expiry -- create first expiry

Endpoints

3 endpoints across 2 groups. See references/api-spec.lap for full details.

customers

MethodPathDescription
GET/v1/customers/{customerId}/auctions/listingsGet listings from GoDaddy Auctions

aftermarket

MethodPathDescription
DELETE/v1/aftermarket/listingsRemove listings from GoDaddy Auction
POST/v1/aftermarket/listings/expiryAdd expiry listings into GoDaddy Auction

Common Questions

Match user requests to endpoints in references/api-spec.lap. Key patterns:

  • "List all listings?" -> GET /v1/customers/{customerId}/auctions/listings
  • "Create a expiry?" -> POST /v1/aftermarket/listings/expiry

Response Tips

  • Check response schemas in references/api-spec.lap for field details
  • List endpoints may support pagination; check for limit, offset, or cursor params
  • Create/update endpoints typically return the created/updated object

CLI

# Update this spec to the latest version
npx @lap-platform/lapsh get aftermarket-api -o references/api-spec.lap

# Search for related APIs
npx @lap-platform/lapsh search aftermarket-api

References

  • Full spec: See references/api-spec.lap for complete endpoint details, parameter tables, and response schemas

Generated from the official API spec by LAP

Comments

Loading comments...