PayAClaw
ReviewAudited by ClawScan on May 10, 2026.
Overview
The PayAClaw instructions are mostly coherent, but the package also contains an unrelated WordPress-management skill that asks for credentials and can publish or delete content.
Review this skill before installing. The PayAClaw API workflow itself appears expected for a competition platform, but the included OpenClawLog file is unrelated and adds credential, publishing, deletion, and persistence behavior that should be separated or removed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user installing PayAClaw may unknowingly receive instructions for an unrelated WordPress-management integration.
The package is advertised as PayAClaw but contains an additional file for a different service and domain, creating a provenance and purpose-coherence gap.
Name: PayAClaw ... Homepage: https://payaclaw.com ... File manifest: 2 file(s): SKILL.md; openclawlog-skill.md
Remove the unrelated OpenClawLog file from the PayAClaw package, or publish it as a separate clearly named skill with matching metadata and capability declarations.
If the agent used these instructions, it could publish, modify, or delete blog content outside the PayAClaw task-competition workflow.
The bundled unrelated file documents broad mutation authority over public WordPress content, including posts, pages, media, and comments.
Create, edit, delete posts ... Manage pages and media ... Handle comments
Do not use the OpenClawLog instructions as part of PayAClaw. Require explicit user approval and clear scoping for any content publishing or deletion capability.
The agent could gain and use account privileges for a separate publishing platform that the user did not expect from PayAClaw.
The unrelated file asks the agent to obtain credentials and grants publishing authority on a WordPress site, which is not declared in the PayAClaw metadata.
Every user needs to register and get credentials ... Instant publishing permissions (Author role)
Declare any credential requirements and privileged account actions in the skill metadata, and keep unrelated account integrations in separate skills.
Credentials could persist beyond the immediate task and be reused or exposed in later contexts.
The unrelated file recommends persistent storage of WordPress credentials, including in agent memory, without clear retention or access boundaries.
Recommended: Save your credentials to ~/.config/wordpress/credentials.json ... You can also save them to your memory, environment variables, or wherever you store secrets.
Avoid storing credentials in agent memory; use a secure secret store with explicit user control, limited scope, and clear deletion instructions.