Gumroad Pro
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill with a valid token is allowing the agent to access and manage Gumroad merchant data through that token.
The skill sends a configured Gumroad token to the Gumroad API. This is expected for merchant management, but it delegates meaningful account authority to the agent.
const token = ctx.env.GUMROAD_ACCESS_TOKEN || ctx.env.API_KEY; ... 'Authorization': `Bearer ${token}`Use a dedicated Gumroad token if possible, revoke it when no longer needed, and avoid setting a generic API_KEY unless it is specifically the Gumroad token.
A mistaken or unintended action could delete a product, refund a sale, change product availability, or alter license and discount state.
The handler can perform destructive or financial Gumroad actions such as product deletion and refunds. These actions are aligned with the stated merchant-management purpose, but they are high impact.
else if (action === 'delete') { method = 'DELETE'; path = `/products/${encodeURIComponent(params.id)}`; } ... else if (action === 'refund') { method = 'PUT'; path = `/sales/${encodeURIComponent(params.id)}/refund`; ... }Use the interactive confirmation flow for destructive actions and require clear user approval before refunds, deletes, publishing changes, or license rotations.
Future Gumroad events may be sent to the configured webhook destination, potentially including merchant or customer transaction details depending on the event type.
The skill can create Gumroad resource subscriptions/webhooks pointing to a provided URL. This is disclosed webhook-management functionality, but it can establish a persistent data flow outside Gumroad/OpenClaw.
else if (action === 'create') { method = 'PUT'; path = '/resource_subscriptions'; data = { post_url: params.url, resource_name: params.type }; }Only create webhooks to trusted HTTPS endpoints, verify the destination URL carefully, and remove subscriptions that are no longer needed.