Skillv1.1.0

ClawScan security

Wafeq API Reference · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 25, 2026, 12:09 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only API reference for Wafeq that only requests a single API key and otherwise contains documentation — it is internally consistent with its stated purpose, with a few minor operational notes to review before use.
Guidance: This appears to be a straightforward API reference that legitimately asks only for a Wafeq API key. Before installing/providing secrets: 1) Prefer creating a least-privileged or test API key (scoped or limited) rather than a full-production key. 2) If you must store the key in ~/.openclaw/openclaw.json, ensure that file is protected (filesystem permissions) and that you understand the persistence risk; consider using an OS secret manager instead. 3) Do not run scripts from unknown sources — SKILL.md refers to scripts/setup.sh but the package contains no scripts; if an install or README later asks you to run a downloaded script, review it first. 4) Because the agent can call the API autonomously, decide whether to allow autonomous use or to require user confirmation in your agent settings. 5) If you need higher assurance, verify the skill's provenance (who published it) or prefer installing an official integration from Wafeq or a trusted publisher. If any of these checks fail or you are unsure about the publisher, use a sandbox/test account/key first and rotate the key after testing.

Purpose & Capability: okName/description, documentation files, and the single required environment variable (WAFEQ_API_KEY) all align with a Wafeq API reference skill. There are no unrelated credentials, binaries, or install steps requested.
Instruction Scope: noteSKILL.md stays on-topic (how to call Wafeq endpoints, sample workflows, headers). One mismatch: it suggests validating setup by running scripts/setup.sh from the plugin root, but this bundle contains no scripts — do not run arbitrary scripts from unknown sources. Otherwise the instructions do not request unrelated system data or extra credentials.
Install Mechanism: okNo install spec and no code files — instruction-only — so nothing is written to disk by an installer. This is the lowest-risk install profile.
Credentials: noteOnly WAFEQ_API_KEY is required, which is appropriate. However SKILL.md documents storing the key in ~/.openclaw/openclaw.json (skills.entries.wafeq-api.apiKey), which persists the secret to disk; evaluate the security of that file/location and prefer least-privilege or short-lived keys when possible.
Persistence & Privilege: okalways is false and there are no requests to modify other skills or system settings. Note: model invocation is enabled by default — if you provide the API key the agent (and this skill) can make Wafeq API calls autonomously, which is expected but increases the importance of using a restricted key.