Kaspi Autopay
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent payment-bot service pitch, but it relies on an unreviewed managed integration for automatic payment verification and delivery without clear credential, data, or control boundaries.
Before using this, treat it as an unreviewed managed payment service rather than a reviewed installable skill. Verify the developer, request a full data-flow and credential-scope description, confirm compliance with Kaspi/Telegram requirements, start in a test bot, and require audit logs, limits, manual override, and retention/deletion terms before processing real customer payments.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistake or abuse in the verification flow could incorrectly grant products/access or reject real customers without human review.
This describes automatic fulfillment based on payment verification, but the artifact does not state approval, limits, audit, dispute, or reversal controls.
Bot automatically verifies the payment via a proprietary verification method. Product/access is delivered instantly — no human needed
Require explicit transaction limits, audit logs, manual override, test mode, dispute handling, and rollback/revocation procedures before using it for real sales.
Users may need to hand over or configure sensitive bot, business, or database access without knowing the minimum required privileges.
These components imply delegated bot, payment-verification, and database access, but the artifacts do not explain what credentials or account permissions are required or how they are scoped.
Telegraf (Telegram Bot API) ... Proprietary Kaspi payment verification ... PostgreSQL / Supabase
Use least-privilege credentials, separate test/production bot tokens and databases, avoid sharing banking credentials unless contractually and technically justified, and document every required permission.
Installing or acting on the skill may lead the user to trust an off-platform service for payment automation that was not reviewed in these artifacts.
The actual payment-handling implementation is not included in the skill and setup is moved to an external managed service, leaving provenance and implementation safety unreviewed.
This is a managed integration — not a self-hosted script. For setup and pricing, contact the developer directly
Verify the developer identity, obtain implementation/security documentation, confirm official Kaspi/Telegram compatibility, and review contractual support and liability terms before deployment.
Customer payment evidence and transaction details could be stored or processed in ways the business has not reviewed or disclosed to customers.
Payment receipts and customer transaction data would flow through Telegram, a proprietary verifier, and database storage, but the artifact does not define data boundaries, retention, or privacy protections.
Customer pays and sends the receipt to the bot ... Bot automatically verifies the payment via a proprietary verification method ... PostgreSQL / Supabase
Ask for a data-flow diagram, retention/deletion policy, data residency details, access controls, and customer privacy terms before sending real receipts or customer data through the service.
A business could overtrust the service’s fraud-detection and revenue claims when deciding to automate payments.
The skill makes strong security and business-performance claims without reviewed code, validation evidence, official integration details, or measurable conditions.
Fraud protection (fake receipt detection) ... Conversion boost: typical 40% → 75%+
Treat these as marketing claims until validated with documentation, references, a pilot deployment, and independent testing against real and fake receipt scenarios.