clink-interg-skills
PassAudited by VirusTotal on May 8, 2026.
Overview
Type: OpenClaw Skill Name: clink-interg-skills Version: 1.2.0 The clink-integ-skills bundle is a developer-focused tool designed to guide AI agents through Clink payment integrations. It features a robust architecture including a 'Production Validation Gate' (in lib/skill-runtime.mjs and lib/runtime-machine.mjs) that enforces sandbox defaults and requires explicit validation of security controls (like signature verification and idempotency) before providing production guidance. The skill includes utilities for fetching official documentation and payment skill contexts from trusted sources (docs.clinkbill.com and GitHub), and it explicitly instructs the agent in SKILL.md to avoid requesting sensitive secrets from users. No evidence of malicious intent, data exfiltration, or unauthorized execution was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Guidance produced by this skill could shape integrations that initiate payments, top-ups, or refunds through another payment skill.
The skill guides integrations around payment/refund-capable tools. This is expected for a Clink payment-integration skill, but it is high-impact if implemented incorrectly.
preserving the `clink-payment-skill` boundary: it executes wallet/card/pay/refund/risk-rule operations, but does not decide pricing, entitlement, or merchant receipt confirmation
Use sandbox first, keep pricing and entitlement checks server-side, and require explicit user or merchant approval before any live payment or refund action.
Using the skill may execute local scripts and create/update cache files in the skill directory.
The skill explicitly instructs the agent to run local Node helper scripts during some workflows.
run `node scripts/load_official_docs.mjs` ... run `node scripts/load_payment_skill_contexts.mjs --dependency openclaw-payment-skills --print-path`
Run the skill from a trusted checkout, inspect helper scripts if needed, and avoid running it with elevated privileges.
The guidance may change when the upstream repository changes; a compromised or mistaken upstream context could influence integration recommendations.
The helper downloads latest payment-skill context from an unpinned GitHub main-branch zip. It checks the expected skill name, but does not pin a commit or verify a signature.
defaultUrl: "https://codeload.github.com/clinkbillcom/agentic-payment-skills/zip/refs/heads/main"
For production-sensitive reviews, pin or record the exact commit/source metadata and review the downloaded cache before relying on it.
Stale or tampered cached context could steer future integration answers until the cache is refreshed or cleared.
Remote payment-skill context is cached locally and then read by the agent for later guidance.
The script downloads the requested GitHub codeload zip context into `.cache/payment-skill-contexts/`, writes source metadata
Refresh from trusted sources, check cache metadata, and cross-check important claims against official documentation.
If real API keys or webhook signing keys are pasted into an agent conversation or logs, they could be exposed or misused.
The integration checklist involves merchant API and webhook secrets. This is normal for the stated payment-integration purpose, but those credentials are sensitive.
Configure `CLINK_SECRET_KEY` ... Configure `CLINK_WEBHOOK_SIGNING_KEY`
Store live secrets in a secrets manager or environment variables, avoid sharing them in chat, and use sandbox keys for testing.