ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Upload Skill

v1.0.0

Create and manage test payment links including one-time, recurring, plans, multi-product, custom, pay-what-you-want, and discount options.

0· 114·0 current·0 all-time
by@yaggit·duplicate of @yaggit/skill-by-test
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a broad payment-link manager (many payment types, webhooks, sandbox testing, etc.), but the included script implements only a single local 'onetime' POST to http://localhost:4000/v1/test/onetime. The manifest/registry lists no required env vars while SKILL.md metadata declares TEST_API_KEY. This large gap between claimed capability and actual implementation is inconsistent.
!
Instruction Scope
SKILL.md is comprehensive and security-conscious in prose (e.g., 'NEVER expose API keys', 'Use HTTPS only'), but the actual script does not read the declared TEST_API_KEY from the environment, instead hardcoding API_KEY = 'abc'. The script logs full JSON responses to stdout (console.log) which can contradict masking requirements. The instructions don't direct reading unrelated system files, which is good, but the mismatch between stated rules and code behavior is problematic.
Install Mechanism
No install spec — instruction-only plus a small script — so nothing is downloaded or installed automatically. This is low-risk from an install/extraction perspective.
!
Credentials
SKILL.md metadata lists TEST_API_KEY yet the registry reports no required env vars and the script ignores environment variables and uses a hardcoded API_KEY ('abc'). Hardcoded credentials in code are a bad practice and the declared-but-unused env var is an inconsistency that could cause confusion or misconfiguration.
Persistence & Privilege
always is false and there are no special OS or persistence requirements. The skill does not request system-level config paths or elevated privileges.
What to consider before installing
This skill appears to be a test or placeholder rather than a production payment-link integration. Before installing or using it: (1) prefer code that reads credentials from environment variables (e.g., process.env.TEST_API_KEY) rather than a hardcoded API_KEY; (2) confirm whether the skill should require TEST_API_KEY in the registry metadata so permissions match runtime; (3) require HTTPS endpoints for any network calls outside localhost — console logs currently print full API responses which may expose sensitive fields, so implement masking/logger controls; (4) verify the author/source (no homepage/source provided) and ask whether the included script is the full implementation or just a demo; (5) do not use this in production — SKILL.md itself says 'sandbox only' and the code calls localhost. If the author provides an updated script that uses env vars, supports intended endpoints, and follows the documented security rules, this assessment could change to benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk973fp7nb66q28kbh29qg2g1dn834qfq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments