Whop Store Management
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches Whop store management, but it gives the agent Whop API authority to create store items and access payments/memberships without clear approval or scoping guidance.
Install only if you want the agent to manage a real Whop store. Use a least-privilege API key, verify the npm SDK package, and require the agent to show proposed product, pricing, membership, webhook, or checkout changes for approval before it makes them.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could create products or pricing plans in the user's Whop company account, potentially affecting storefront operations and customers.
The skill teaches the agent to perform write operations against a live Whop store. The artifacts do not provide clear approval, scoping, or rollback instructions for these high-impact business changes.
const product = await client.products.create({ company_id: CID, title: 'My Product' }); ... const plan = await client.plans.create({ product_id: product.id, company_id: CID, plan_type: 'one_time', initial_price: 29, base_currency: 'usd' });Require explicit user confirmation before any create, update, delete, membership, webhook, pricing, or checkout change; prefer dry-run/list operations first and record exactly what was changed.
The agent may be able to read or act on store data using the configured Whop API key, depending on that key's permissions.
The skill requires Whop account credentials and a company identifier. This is expected for the stated integration, but it gives the agent delegated access to the user's Whop business account.
requires:\n bins: []\n env: ["WHOP_API_KEY", "WHOP_COMPANY_ID"]
Use the least-privileged Whop API key available, restrict it to the intended company and operations if Whop supports scopes, and avoid sharing keys with unrelated tasks.
A future or unexpected version of the SDK could behave differently from what the skill author tested.
The skill documents installing a global npm package. This is aligned with using the Whop SDK, but the package version is not pinned, so the installed code may change over time.
command: "npm install -g @whop/sdk"
Verify the package source before installing and consider pinning a trusted @whop/sdk version instead of using an unversioned global install.