ClawHub

UPI Payment Integration

v1.0.0

Design and implement robust UPI payment integrations (collect, intent, QR, and autopay mandates) with production-grade webhook handling, idempotency, reconci...

0· 96·0 current·0 all-time
byASP@anugotta
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required env vars (UPI_PROVIDER_KEY_ID, UPI_PROVIDER_KEY_SECRET, UPI_WEBHOOK_SECRET, UPI_MERCHANT_ID) and required binaries (curl, jq) are all appropriate and expected for building/troubleshooting UPI integrations. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md focuses on designing/implementing UPI flows, webhook verification, idempotency, reconciliation, and operational checklists. It instructs storing raw webhook payloads, verifying signatures, and using idempotent processing — all within scope. It does not instruct reading unrelated files or exfiltrating data. It warns not to share secrets in chat.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest-risk install surface (nothing is written to disk by the skill itself).
Credentials
Requested env vars are directly tied to UPI provider integrations. The number of required variables is minimal and justified. Optional recommendations (DATABASE_URL, UPI_ENV) are sensible but not required. No unrelated secrets are requested.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent system privileges or modify other skills/config. Autonomy (model invocation) is allowed by default but not combined with other red flags here.
Assessment
This skill appears coherent for UPI integration guidance. Before using it: do not paste real provider secrets or private keys into chat; keep the declared env vars in a secure secret manager and grant access to runtime agents only with least privilege; test all flows in sandbox before production; enforce webhook signature verification and IP allowlisting on your endpoints; and review the provider / RBI / NPCI documentation the skill references. If you plan to grant the agent runtime access to environment variables or secret manager credentials, verify who/what can trigger the agent autonomously and restrict that access. If you need higher assurance, ask the publisher for the origin/source of the skill bundle (it lists an external homepage but source is unknown).

Like a lobster shell, security has layers — review code before you run it.

latestvk9736htf9dargjywvjnbmqgden8378rr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💸 Clawdis
Binscurl, jq
EnvUPI_PROVIDER_KEY_ID, UPI_PROVIDER_KEY_SECRET, UPI_WEBHOOK_SECRET, UPI_MERCHANT_ID

Comments