Gumroad Pro
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: gumroad-pro Version: 1.2.9 The skill provides comprehensive Gumroad merchant management, interacting with the legitimate `api.gumroad.com` via `https`. Both `handler.js` and `scripts/gumroad-pro.js` use `URLSearchParams` and `encodeURIComponent` for all parameters, mitigating API injection risks. A previous security vulnerability (use of `spawnSync`) was explicitly removed in version 1.2.5 as noted in `references/changelog.md`, indicating responsible development. While user input in multi-step flows (e.g., `handler.js`'s `onMessage` function) is directly processed, it is properly encoded before API calls, and there are no instructions in `SKILL.md` or the code to exploit the AI agent itself for malicious purposes. No evidence of data exfiltration, persistence, or unauthorized execution was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill with a valid token is allowing the agent to access and manage Gumroad merchant data through that token.
The skill sends a configured Gumroad token to the Gumroad API. This is expected for merchant management, but it delegates meaningful account authority to the agent.
const token = ctx.env.GUMROAD_ACCESS_TOKEN || ctx.env.API_KEY; ... 'Authorization': `Bearer ${token}`Use a dedicated Gumroad token if possible, revoke it when no longer needed, and avoid setting a generic API_KEY unless it is specifically the Gumroad token.
A mistaken or unintended action could delete a product, refund a sale, change product availability, or alter license and discount state.
The handler can perform destructive or financial Gumroad actions such as product deletion and refunds. These actions are aligned with the stated merchant-management purpose, but they are high impact.
else if (action === 'delete') { method = 'DELETE'; path = `/products/${encodeURIComponent(params.id)}`; } ... else if (action === 'refund') { method = 'PUT'; path = `/sales/${encodeURIComponent(params.id)}/refund`; ... }Use the interactive confirmation flow for destructive actions and require clear user approval before refunds, deletes, publishing changes, or license rotations.
Future Gumroad events may be sent to the configured webhook destination, potentially including merchant or customer transaction details depending on the event type.
The skill can create Gumroad resource subscriptions/webhooks pointing to a provided URL. This is disclosed webhook-management functionality, but it can establish a persistent data flow outside Gumroad/OpenClaw.
else if (action === 'create') { method = 'PUT'; path = '/resource_subscriptions'; data = { post_url: params.url, resource_name: params.type }; }Only create webhooks to trusted HTTPS endpoints, verify the destination URL carefully, and remove subscriptions that are no longer needed.