Clovercli

The SKILL.md clearly documents a Clover POS CLI that requires CLOVER_ACCESS_TOKEN and CLOVER_MERCHANT_ID, and instructs installing @versatly/clovercli. However the skill registry metadata lists no description, no required env vars, and no primary credential. The functionality is coherent for a Clover CLI, but the metadata omission is inconsistent and prevents automated vetting of the required credentials.

The instructions stay within the expected scope for a CLI: installing the tool, setting environment variables for API access, and running commands against Clover endpoints. The SKILL.md does not instruct the agent to read arbitrary local files or send data to unexpected external endpoints beyond the documented npm/GitHub package and Clover API.

There is no install spec in the registry (instruction-only skill), but the SKILL.md tells the user/agent to run npm i -g @versatly/clovercli or clone a GitHub repo. Installing a third‑party npm package is a normal way to get this CLI, but it introduces moderate risk: the package and repo should be verified (author, code, recent releases, vulnerabilities). The skill itself does not provide integrity information (checksum, pinned version) or an install script.

The runtime instructions require CLOVER_ACCESS_TOKEN and CLOVER_MERCHANT_ID (and optionally CLOVER_REGION), which are sensitive credentials, but the skill metadata does not declare any required env vars or a primary credential. This mismatch means the registry record understates the credential needs and could lead to accidental credential exposure if users follow instructions without realizing the sensitivity.

The skill does not request persistent presence (always=false) and has no install artifact in the registry. It does not ask to modify other skills or system settings. Autonomous invocation is allowed (platform default) but not, by itself, a red flag here.