Wafeq API Reference
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Wafeq API reference skill, but it can guide actions that use a real accounting API key to change financial records.
This skill appears to be a benign, instruction-only Wafeq API reference. Before installing or using it, make sure you trust any agent actions that use your WAFEQ_API_KEY, review financial write/delete/bulk-send/tax-reporting calls, and avoid running any helper script that is not included and reviewable.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent uses these endpoints with your API key, it could create, modify, delete, send, or report accounting records in your Wafeq account.
The skill documents broad create, update, and delete operations for accounting resources. This is expected for an API reference, but these operations can change real business records.
Most resources follow: POST `/{resource}/`, GET `/{resource}/`, GET `/{resource}/{id}/`, PUT `/{resource}/{id}/`, PATCH `/{resource}/{id}/`, DELETE `/{resource}/{id}/`.Use this skill for user-directed API work only, confirm high-impact writes/deletes/bulk sends/tax reporting, and prefer test organizations or idempotency keys when possible.
Anyone or any agent with the key may be able to access or mutate Wafeq organization data according to that key's permissions.
The skill requires a Wafeq API key and explains how to provide it. This is purpose-aligned, but the credential can authorize access to financial and business data.
export WAFEQ_API_KEY='your-key-here' ... Or configure in `~/.openclaw/openclaw.json`
Use the least-privileged key available, keep it out of prompts and code, store it securely, rotate it if exposed, and revoke keys that are no longer needed.
A user looking for this helper script may not be able to verify what it does from the supplied skill package.
The provided manifest contains only SKILL.md and reference markdown files, so this referenced helper script is not available for review in the supplied artifacts. The instruction is optional and user-directed, so this is a documentation/provenance note rather than a concern.
You can validate your setup by running `scripts/setup.sh` from the plugin root.
Do not run any setup script unless its source is present and reviewed; validate the API key manually or with a trusted command instead.