Wafeq API Reference

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Wafeq API reference; it can guide access to sensitive accounting APIs, but the reviewed artifacts disclose that purpose and contain no executable or hidden behavior.

Install this only if you want an agent to help with Wafeq API work. Treat Wafeq API keys and OAuth tokens as financial-system credentials: keep them in a secret store or protected OpenClaw config, avoid logging them, use the narrowest available scopes, and manually confirm write, delete, bulk-send, payment, payroll, and tax-reporting actions before running them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The expense-management integration guidance instructs users to store OAuth tokens and sync employee expense data, but it provides no security controls for token storage, rotation, least-privilege scopes, or protection of sensitive employee financial data. In an agent skill context, developers may copy this guidance directly, increasing the risk of insecure token handling and exposure of payroll/expense information.

Credential Access

High

Category: Privilege Escalation
Content: | Token | Validity | |-------|----------| | Access token | 30 days | | Refresh token | 6 months | | Authorization code | 1 hour |
Confidence: 83% confidence
Finding: Access token

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal