Query Payful Account
WarnAudited by ClawScan on May 10, 2026.
Overview
Review recommended: the skill is mostly aligned with querying Payful balances, but it requires full-access browser session cookies and can send them to a custom API URL.
Only run this if you trust the skill source and understand that PAYFUL_TOKEN and PAYFUL_USER_ID are full Payful session credentials. Do not use a custom API URL unless you have verified it is an official Payful endpoint, and remove or rotate the session cookies after use.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these environment variables are exposed, reused, or mishandled, someone may be able to access the Payful account beyond simply viewing a balance.
The skill requires full-access browser session cookies rather than a narrowly scoped read-only credential for a balance query.
`PAYFUL_TOKEN` and `PAYFUL_USER_ID` are sensitive browser session cookies extracted from global.payful.com. They grant full access to your Payful account.
Use only in a trusted, isolated environment; prefer an official scoped read-only API token if available; clear the variables or log out/revoke the session after use.
A mistaken or manipulated custom URL could receive the user's full Payful session cookies.
A user-supplied custom API URL controls the destination receiving the Payful Cookie header, and the code does not restrict it to trusted Payful domains.
base_url = api_url or "https://global.payful.com" ... headers = { ... 'Cookie': cookie, ... } ... parser.add_argument('--api-url', help='Custom API base URL')Avoid using `--api-url` unless it is a verified Payful domain; the skill should ideally allowlist Payful hosts or require explicit confirmation before sending cookies anywhere except the default endpoint.