Payment Gateway Payram

PendingStatic analysis audit pending.

Overview

No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ConcernMedium Confidence

ASI02: Tool Misuse and Exploitation

What this means

An agent connected to these tools could be guided toward high-impact financial workflows without the user seeing clear boundaries or confirmation rules in the skill documentation.

Why it was flagged

The skill instructs users to add a broad remote MCP toolset for payment operations and advertises payout-related functionality, but the artifacts do not define tool permissions, approval checkpoints, transaction limits, or safeguards.

Skill content

mcporter config add payram --url https://mcp.payram.com/mcp
# Done. 36 payment tools ready.
...
### Send Payouts
...
#  Pay out to any wallet address

Recommendation

Only enable the MCP after reviewing the exact tools it exposes, require explicit user confirmation for payment-link creation and payouts, and set clear limits on amounts, recipients, and environments.

NoteHigh Confidence

ASI04: Agentic Supply Chain Vulnerabilities

What this means

Running this command would execute whatever script is served at that URL at the time, which could change your local environment.

Why it was flagged

The optional self-hosting instructions run a remote shell script directly from GitHub's mutable main branch, with no checksum, pinned commit, or reviewed script content included in the artifacts.

Skill content

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/PayRam/payram-scripts/main/setup_payram.sh)"

Recommendation

Download and inspect the script first, pin it to a trusted commit or release, and run it in a disposable or least-privileged environment.

NoteHigh Confidence

ASI07: Insecure Inter-Agent Communication

What this means

Project details, payment setup questions, or generated integration context may be shared with the remote PayRam MCP service.

Why it was flagged

The skill connects the user's agent tooling to an external MCP provider. This is expected for the stated purpose, but the documentation does not describe data boundaries or what information the remote provider receives.

Skill content

mcporter config add payram --url https://mcp.payram.com/mcp

Recommendation

Avoid sending secrets, customer data, private wallet keys, or production configuration to the MCP unless you have reviewed PayRam's data handling and trust the endpoint.

ConcernHigh Confidence

ASI09: Human-Agent Trust Exploitation

What this means

Users may underestimate legal, compliance, fraud, custody, or operational risks when adding payment processing to an app.

Why it was flagged

The skill uses strong financial trust and compliance claims, including no KYC, no account-freeze risk, and all high-risk industries welcome. These claims are high-impact and not supported with clear caveats or risk disclosures in the artifact.

Skill content

No bank account. No Stripe. No KYC. No waiting days for approval.
...
Account freeze risk | High | None (self-hosted)
...
High-risk industries | Banned |  All welcome

Recommendation

Treat the claims as marketing until independently verified, and consult payment, legal, and security requirements before using this for real transactions.