Pactum Marketplace
ReviewAudited by ClawScan on May 10, 2026.
Overview
The marketplace purpose is clear, but the skill asks the agent to keep a live Pactum API key and can make order/payment API calls, so it needs careful review before use.
Use this only if you are comfortable letting an agent interact with Pactum. Verify the pactum.cc service, browse without registering when possible, require explicit confirmation for every registration, top-up, paid/free order, shipping address, and USDC/payment step, and keep any API key out of chat logs by storing it only in a trusted secret store or revoking it after use.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A retained API key could let the agent access the Pactum account and initiate future marketplace actions without the user re-entering the email code.
The skill asks the agent to create and retain a live marketplace API key, and even displays it, before browsing requires authentication. The registry declares no primary credential or config path, so storage, reuse, and revocation are not clearly bounded.
Discovery does **not** require JWT — but register first so you're ready to order. ... API_KEY = data["api_key"] # pk_live_... — save this permanently ... print(f"API Key: {API_KEY}")Only register when the user explicitly wants to buy, do not print API keys, store any key only in an approved secret store with user consent, and document token scope and revocation.
If used too broadly, the agent could create marketplace orders or initiate payment flows the user did not intend.
Authenticated API calls can create orders and payment top-up checkouts. This matches the marketplace purpose, but these are state-changing actions that should be user-approved each time.
r = requests.post(f"{BASE_URL}/market/buy/{item_id}", headers=headers, json={ ... }) ... r = requests.post(f"{BASE_URL}/market/credit/topup", headers=headers, json={"amount": 10, "provider": "stripe"})Require explicit confirmation of the item, seller, price, payment method, shipping details, and total spend before any buy, top-up, or USDC/payment step.
Using the skill may cause the agent to run Python HTTP requests from the user's environment.
The skill is instruction-only but expects local Python snippets to make network calls. This is proportionate for a REST API integration and is not hidden.
> **Use Python `requests`.** These are REST API endpoints.
Review the endpoints and request payloads before execution, and run them only in an environment where outbound calls to Pactum are acceptable.