ClawHub
Back to skill
v1.0.0

Whop Store Management

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:52 AM.

Analysis

The skill is coherent for Whop store management, but it requires business API credentials and can create store products, pricing plans, and access payments/memberships without clear approval or scope limits.

GuidanceInstall only if you intentionally want an agent to help manage your Whop business account. Use a restricted API key, confirm every store-changing action before it runs, be careful with payment and membership data, and verify or pin the Whop SDK package before installing it.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
// Create product
const product = await client.products.create({ ... });

// Create pricing plan
const plan = await client.plans.create({ ... });

The skill documents Whop API write operations that can change a business store's products and pricing, but it does not add explicit approval, scope, or rollback requirements.

User impactIf used without careful confirmation, the agent could make real store changes that affect checkout, revenue, or customer-facing listings.
RecommendationRequire explicit user confirmation for every create, update, delete, membership, webhook, notification, or pricing action, and prefer dry-run/read-only behavior unless the user clearly authorizes a change.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
command: "npm install -g @whop/sdk"

The install guidance uses a global npm package install without a pinned version. This is aligned with the Whop SDK purpose, but users should be aware of package provenance and version drift.

User impactA future package change or compromised dependency could affect the local environment used by the skill.
RecommendationVerify the npm package source, consider pinning a known-good version, and install it in a controlled project environment rather than globally when possible.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
requires:
  env: ["WHOP_API_KEY", "WHOP_COMPANY_ID"]
...
const payments = await client.payments.list({ company_id: CID });
const members = await client.memberships.list({ company_id: CID });

The skill requires Whop account credentials and demonstrates access to payment and membership records, but the artifacts do not specify least-privilege scopes or handling limits.

User impactThe API key could expose sensitive business, customer, payment, and membership information to the agent's working context and allow account changes depending on the key's permissions.
RecommendationUse the most restricted Whop API key available, avoid broad admin tokens where possible, keep credentials out of logs and shared chats, and revoke or rotate the key when no longer needed.