ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Privacy virtual credit cards

v1.0.2

Use the Privacy CLI to create and manage Privacy Virtual Cards directly from the terminal. Trigger this skill whenever the user asks to create, list, pause,...

0· 83·0 current·0 all-time
by@eladrave

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for eladrave/privacy-cli.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Privacy virtual credit cards" (eladrave/privacy-cli) from ClawHub.
Skill page: https://clawhub.ai/eladrave/privacy-cli
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install privacy-cli

ClawHub CLI

Package manager switcher

npx clawhub@latest install privacy-cli
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's purpose (manage Privacy virtual cards) legitimately requires an API key and the official privacy CLI. The SKILL.md explicitly requires PRIVACY_API_KEY, npm/node, and the @privacy-com/privacy-cli package, but the registry metadata lists no required env vars or binaries — an inconsistency between declared metadata and the runtime instructions.
Instruction Scope
The instructions stay within the stated purpose (create/list/pause/close cards, list transactions). They correctly warn about handling PAN data and require explicit user confirmation for full PAN retrieval. The SKILL.md also notes the CLI resolves the API key from either PRIVACY_API_KEY or ~/.privacy/config — meaning the agent may indirectly access the user's credential file if the CLI reads it. The instructions do not ask to read unrelated system files, but they do rely on a user-managed secret and a config file.
Install Mechanism
This is an instruction-only skill (no install spec). The SKILL.md tells the agent to run `npm install -g @privacy-com/privacy-cli` if the CLI is missing. Installing a global npm package is a reasonable way to obtain the CLI, but it involves running third-party code from the npm registry — this is moderate risk and should be done deliberately. The install step is not reflected in registry install metadata.
!
Credentials
Access to PRIVACY_API_KEY (and the CLI's ~/.privacy/config) is directly required for the skill's functionality, so the secret itself is proportionate. However, the registry metadata does not declare the PRIVACY_API_KEY or required binaries — the omission makes it unclear to users and platform permission systems what secrets/binaries the skill will use. The skill also allows retrieval of very sensitive PAN data (appropriately gated by a confirmed user prompt).
Persistence & Privilege
The skill is not forced-always, does not request persistent system-wide privileges, and does not modify other skills. Autonomous model invocation is enabled (the platform default) but not combined with other high-risk flags.
What to consider before installing
Before installing or enabling this skill: 1) Note the mismatch — SKILL.md requires PRIVACY_API_KEY, npm/node, and the privacy CLI, but the registry metadata does not declare these. Ask the publisher to correct metadata so you (and the platform) can make an informed permission decision. 2) Treat PRIVACY_API_KEY as highly sensitive: only set it in environments you control, and avoid exposing it to agents you don't trust. 3) The skill may cause you (or the agent) to install a global npm package — installing from npm runs third-party code, so prefer installing manually and verifying the package (@privacy-com/privacy-cli) is the official one. 4) The skill can retrieve full PAN data; follow the SKILL.md guidance: require explicit user confirmation and never persist PANs to disk or logs. 5) If you want to limit risk, restrict the agent's ability to invoke this skill autonomously (or require manual approval) and verify that the agent/platform will not expose ~/.privacy/config or other credentials without your consent. 6) If you need higher assurance, ask the maintainer for an install spec and for registry metadata to accurately list required env vars and binaries.

Like a lobster shell, security has layers — review code before you run it.

latestvk976x7j4cxtk8c8tk2kgb14qs1846k9x
83downloads
0stars
3versions
Updated 3w ago
v1.0.2
MIT-0
@eladrave
latest
Download

Privacy CLI Skill

This skill allows the agent to interact with the Privacy API via the official CLI to manage Privacy Virtual Cards and view transactions.

Reference Documentation

For missing information or edge cases, refer to the official documentation: https://developers.privacy.com/docs/privacy-cli

1. Installation & Setup

Before executing commands, check if the CLI is installed by running: privacy --version

If not installed, run the folling: npm install -g @privacy-com/privacy-cli

2. Configuration & Authentication

The Privacy CLI requires an API key (the user must be on a paid Privacy Plan). Check for authentication by running a harmless command like privacy cards list --page-size 1 --json.

If it fails due to missing authentication:

  1. Instruct the user to get their API key from https://app.privacy.com/subscriptions.
  2. Ask the user to set the PRIVACY_API_KEY environment variable in their terminal (e.g., export PRIVACY_API_KEY="your_api_key_here").

The CLI resolves your API key in this order:

  1. PRIVACY_API_KEY environment variable
  2. ~/.privacy/config file (JSON with api_key field)

3. Usage Guidelines for the Agent

  • Output Mode: ALWAYS append the --json flag to your commands so you can parse the output programmatically!
  • Interactive Mode: NEVER use the interactive REPL mode (privacy or privacy interactive). Always use non-interactive one-off commands. Do not prompt the user to use interactive mode either.
  • Security Warning (PAN Data): If the user asks for full card details (PAN, CVV, Expiry), you MUST require explicit user confirmation before running privacy cards pan <token> --json. Do not log, save, or store the PAN output in any file; only display it securely to the user in your response.

4. Commands Reference

Cards

  • Create Card: privacy cards create --type <SINGLE_USE|MERCHANT_LOCKED> [--memo "label"] [--spend-limit <whole_dollars>] [--spend-limit-duration <TRANSACTION|MONTHLY|ANNUALLY|FOREVER>] --json (Note: SINGLE_USE closes automatically after the first transaction, MERCHANT_LOCKED locks to the first merchant it is used with).
  • List Cards: privacy cards list [--page <number>] [--page-size <number>] --json
  • Get Card Details: privacy cards get <token> --json
  • Update Card: privacy cards update <token> [--memo "new label"] [--spend-limit <amount>] [--spend-limit-duration <duration>] [--state <OPEN|PAUSED|CLOSED>] --json
  • Pause/Unpause Card: privacy cards pause <token> --json privacy cards unpause <token> --json
  • Close Card (Permanent): privacy cards close <token> --json
  • Get Full PAN (Sensitive): privacy cards pan <token> --json

Transactions

  • List Transactions: privacy transactions list [--begin YYYY-MM-DD] [--end YYYY-MM-DD] [--card-token <token>] [--result APPROVED|DECLINED] [--page <number>] [--page-size <number>] --json

Comments

Loading comments...