ClawHub
Back to skill
v1.0.0

Paytm Integration Skill

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:47 AM.

Analysis

This is a coherent Paytm payment-integration guide; it involves expected financial API and merchant-key handling, but the provided artifacts do not show hidden or malicious behavior.

GuidanceBefore installing or using this skill with live Paytm credentials, verify the source repository, run examples in staging first, keep the Merchant Key server-side only, and review any generated payment-link, QR, checkout, or subscription code before it can affect real customers.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
Supported integration variants in this skill: **JS Checkout** (web), **Subscriptions / UPI Autopay**, **Payment Links**, and **Dynamic QR Codes** — all backed by Server-to-Server APIs.

The skill covers payment collection and recurring-payment setup flows. This is high-impact but clearly disclosed and central to the stated Paytm integration purpose.

User impactGenerated code or instructions may create payment orders, links, QR codes, or subscription mandates that affect real customers and payments if used with live credentials.
RecommendationUse staging first, require explicit user confirmation before live payment actions, and review amounts, recipients, callback URLs, and subscription terms before deployment.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
README.md
git clone https://github.com/paytm/paytm-integration-skills.git ~/.claude/skills/paytm-integration

The README recommends a manual external repository clone into the skills directory. This is user-directed and not automatically executed, but users should still verify provenance.

User impactInstalling from the wrong or modified repository could place untrusted instructions or sample code into the agent’s skill directory.
RecommendationVerify the repository owner, inspect the files before use, and prefer pinned releases or trusted tags when installing.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
| **Merchant Key** | Secret key used to generate/verify checksums |

Paytm Merchant Keys are expected for this integration and are needed to sign API calls, but they are sensitive merchant credentials.

User impactIf the Merchant Key is exposed in frontend code, logs, or a repository, someone could sign Paytm API requests as the merchant.
RecommendationStore the Merchant Key only in server-side environment variables or a secret manager, never commit it, and never send it to the browser.