Toss Payments CLI
v0.1.0Command-line tool for Toss Payments API to retrieve payment details and perform full or partial payment cancellations using payment keys.
⭐ 0· 27·0 current·0 all-time
byChloe Park@chloepark85
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be a CLI for Toss Payments and requests the TOSS_SECRET_KEY credential — that is appropriate for the stated purpose. However, it presents itself as a runnable CLI (toss-pay) while the skill bundle contains no code, no binaries, no homepage, and no install spec; this mismatch reduces confidence that the skill actually provides the advertised capability.
Instruction Scope
SKILL.md instructs running a toss-pay CLI and shows an install command (pipx install . / pip install .). It also mentions an optional TOSS_BASE_URL environment variable, but TOSS_BASE_URL is not declared in requires.env. The instructions do not ask for unrelated files or secrets, but they assume a local package/binary that is not present in the skill bundle — an agent following these instructions could try to run commands that don't exist or rely on an external package of unknown origin.
Install Mechanism
There is no install specification in the skill metadata, yet SKILL.md tells users to run pipx install . or pip install . which implies a Python package source. Because the skill contains no code files or repository link and the 'Source' and 'Homepage' fields are unknown/missing, there's no traceable/ verifiable install artifact. This is an incoherence and increases risk: the install instructions refer to artifacts that are absent.
Credentials
Only TOSS_SECRET_KEY is required/declared (primary credential), which is proportional for a payments API client. However, SKILL.md references an additional env var (TOSS_BASE_URL) that is not declared in requires.env. Requesting the secret key is reasonable for the purpose, but the skill has no provenance information and would have access to a sensitive credential if used — you should only provide it to a known, trusted implementation.
Persistence & Privilege
The skill does not request persistent/always-on privileges (always: false) and does not declare modifications to other skills or system-wide settings. Autonomous invocation is enabled by default but is not combined here with other high privileges.
What to consider before installing
This skill looks like documentation for a Toss Payments CLI rather than a self-contained implementation. Before installing or supplying TOSS_SECRET_KEY: 1) ask the publisher for the source repository or official package name and verify it (PyPI/GitHub and a homepage). 2) Do not export your real secret key until you confirm the package origin and inspect its code. 3) If you must test, use a test key with minimal privileges. 4) Prefer official SDKs or packages referenced by Toss Payments docs; avoid installing packages or running binaries from unverified/unknown sources.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
EnvTOSS_SECRET_KEY
Primary envTOSS_SECRET_KEY
latest
Chloe Park@chloepark85
DownloadToss Payments CLI
토스페이먼츠 코어 API를 간단히 호출하는 최소 CLI 스킬이다. paymentKey로 결제를 조회하고, 전체/부분 취소를 수행한다. 테스트/실서비스 키 모두 지원한다.
Features
- GET /payments/{paymentKey}
- POST /payments/{paymentKey}/cancel (cancelReason, optional cancelAmount)
Usage
export TOSS_SECRET_KEY="test_sk_xxx"
# 결제 조회
toss-pay get-payment --payment-key {paymentKey}
# 결제 취소 (전체/부분)
toss-pay cancel-payment --payment-key {paymentKey} --reason "고객 요청"
toss-pay cancel-payment --payment-key {paymentKey} --reason "부분 환불" --amount 5000
Base URL: https://api.tosspayments.com/v1 (환경변수 TOSS_BASE_URL로 오버라이드 가능)
Install
pipx install . # 또는 pip install .
Docs
- Toss Payments Core API: https://docs.tosspayments.com/reference#tag/Payments
Comments
Loading comments...