Gumroad Pro

v1.2.9

Comprehensive Gumroad merchant management including product catalogs, sales intelligence, recurring subscription oversight, license key management, and finan...

⭐ 1· 1.5k·0 current·0 all-time

by@abdul-karim-mia

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description match the code and docs: the skill implements Gumroad product/sales/licenses/discounts/payouts/webhooks operations and only requires a Gumroad API token (GUMROAD_ACCESS_TOKEN with API_KEY as fallback). Requested binaries (node) match the included Node.js handler and CLI.

✓

Instruction Scope

SKILL.md instructs using the included handler.js GUI first and the CLI script as fallback, references only platform config (~/.openclaw/openclaw.json) and ctx.session for transient state, and requires the Gumroad token. There are no instructions to read unrelated files, exfiltrate system data, or call unexpected endpoints.

ℹ

Install Mechanism

There is no install spec (instruction-only at registry level) but the package includes handler.js and a CLI script. That is low-risk — no external downloads or install scripts — but the presence of executable code means the skill will run Node.js code supplied in the bundle.

✓

Credentials

Only GUMROAD_ACCESS_TOKEN (primary) and an alternate API_KEY are declared and used. These map directly to the Gumroad API usage in both handler.js and the CLI. No unrelated secrets or excessive environment access are requested.

✓

Persistence & Privilege

The skill does not request always:true, does not persist data to disk (uses ctx.session for transient state), and does not modify other skills or system-wide config. Autonomous invocation is allowed (default) which is expected for skills of this type.

Assessment

This skill appears to do what it claims: it needs your Gumroad API token and will call api.gumroad.com to manage products, sales, licenses, discounts, payouts, and webhooks. Before installing: 1) Provide a Gumroad token with the minimum required scope and avoid reusing sensitive tokens for other services; 2) Be aware that creating webhooks via the tool will register external URLs that will receive event payloads (don’t point webhooks at endpoints you don’t control); 3) Note there is executable JavaScript bundled (handler.js and a CLI) — inspect the code or review the linked GitHub repo to satisfy yourself about the author and updates; 4) If you need stricter controls, rotate the token after testing or create a token dedicated to this skill.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsnode

EnvGUMROAD_ACCESS_TOKEN, API_KEY

Primary envGUMROAD_ACCESS_TOKEN

latestvk97e28bjszsbkgsnp9nw61qfzh81408n

1.5kdownloads

1stars

8versions

Updated 1mo ago

v1.2.9

MIT-0

Gumroad Pro

🛑 AI PROTOCOL

PRIORITIZE HANDLER: Always attempt to use the interactive button-based GUI (handled by handler.js) for the best merchant experience.
CLI AS FALLBACK: Only use scripts/gumroad-pro.js via the CLI for complex data retrieval or specific actions not available in the GUI.
USE --json: When using the CLI, ALWAYS use the --json flag and check for "success": true.
REDUCE SPAM: Use action: 'edit' in renderResponse for all menu transitions and state updates. Only use action: 'send' for the initial menu or when the context fundamentally changes.
HANDLE ERRORS: Read the "error" field in JSON responses to inform the user of failures.

❓ Navigation & Data

Primary Interaction: Use the adaptive logic in handler.js. See handler-guide.md for interaction patterns, ui-rendering.md for rendering protocols, and changelog.md for version history. Respond with button callback data (e.g., gp:products) or digits (1, 2, 3) where applicable.
Secondary Interaction: Use scripts/gumroad-pro.js for direct actions. See api-reference.md for command specs.

🔑 Authentication

The skill requires a Gumroad API Key. It looks for the following environment variables (in order of preference):

GUMROAD_ACCESS_TOKEN
API_KEY

Configuration

You can set this in your ~/.openclaw/openclaw.json using the apiKey convenience field:

{
  "skills": {
    "entries": {
      "gumroad-pro": {
        "enabled": true,
        "apiKey": "YOUR_GUMROAD_TOKEN"
      }
    }
  }
}

The platform will automatically inject your apiKey into the preferred GUMROAD_ACCESS_TOKEN variable.

🛠️ Workflows

Product Inventory

List all digital assets to monitor sales and availability.
Toggle publication status or delete obsolete items.
View detailed product commands.

Sales & Fulfillment

Search transactions by email.
Process refunds or mark physical goods as shipped.
View detailed sales commands.

Licensing

Verify keys for software distribution.
Manage usage counts or rotate keys for security.
View detailed license commands.

Offer Management

Create, list, or remove discount codes for marketing campaigns.
View detailed discount commands.

Developed for the OpenClaw community by Abdul Karim Mia.

Comments

Loading comments...