Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Mayar.id Payment
v1.0.0Integrate Mayar.id for Indonesian payments to create invoices, generate payment links, track transactions, manage subscriptions, and automate payment workflo...
⭐ 0· 1.8k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and README clearly describe a Mayar.id payment integration (invoice creation, transaction queries, webhooks) and the included references align with that purpose. HOWEVER the registry metadata did not declare any required credentials or binaries even though the documentation requires an API key, mcporter, and Node/npx — this metadata omission is an inconsistency.
Instruction Scope
Instructions stay within the payment-integration scope (create credentials file, add mcporter server, call mcporter tools, register webhooks). They do instruct writing credentials to ~/.config/mayar/credentials and embedding the API token into config/mcporter.json Authorization header (which is functionally necessary but can leak if configs are not handled securely). No instructions ask the agent to read unrelated system files or exfiltrate data to unexpected endpoints; endpoints referenced are Mayar domains.
Install Mechanism
There is no formal install spec (instruction-only), but the mcporter configuration calls npx mcp-remote at runtime. That implies dynamic download-and-execute of the 'mcp-remote' npm package when mcporter starts. The skill/package does not declare or vet that package in the metadata; dynamic npx execution is a higher-risk behavior and should be reviewed (verify the npm package source and integrity) before enabling.
Credentials
The skill requires a sensitive Mayar API JWT token (documented in SKILL.md) but the registry metadata declares no required env vars or primary credential — a mismatch. The instructions ask you to store the token in a local credentials file and to place it in the mcporter.json Authorization header; this is proportional to the payment use-case but is sensitive and should be protected (platform-managed secret store preferred).
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no install that writes persistent system-wide components. Its persistence is limited to the user-supplied credential file and mcporter configuration, which is expected for this integration.
What to consider before installing
This skill looks like a real Mayar payment integration, but take care before installing: 1) The package metadata doesn't list the API key or required binaries even though SKILL.md requires a Mayar JWT and mcporter/Node (metadata mismatch). 2) Review and protect your API token — the docs tell you to store it in ~/.config/mayar/credentials and to embed it in config/mcporter.json; prefer using your platform's secret storage if available and avoid committing configs to VCS. 3) The mcporter config uses `npx mcp-remote`, which will fetch and execute code from npm at runtime — verify the 'mcp-remote' package (author, version, audit) before enabling, since dynamic npx execution can run arbitrary code. 4) Test in a sandbox/sandbox Mayar environment (web.mayar.club) first and validate webhook handling and token scope. 5) If you need higher assurance, ask the skill author for the exact npm package version, a checksum, or a signed release and for updated registry metadata that declares the required credential and binaries.Like a lobster shell, security has layers — review code before you run it.
latestvk971rpjbnhh6ekaq6ndnxd5f0h808tsx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.