ClawHub
Back to skill
v0.2.2

OpenClaw Paid Actions

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:50 AM.

Analysis

The skill coherently describes a paid-action invoice flow, with disclosed reliance on a trusted plugin that can run configured scripts after Solana payment.

GuidanceInstall only if you trust the openclaw-paid-actions plugin and have reviewed every configured paid-action script. Protect the invoice secret and store path, verify the USDC recipient address, and require extra human approval for any action that posts publicly or changes important accounts.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
`execute`: Run the action after invoice is confirmed paid ... "command": ["node", "scripts/paid-actions/x-shoutout.mjs"] ... "Post a paid shoutout on X"

The skill intentionally allows a tool to execute configured local scripts after payment, including an example that can publish public content. This is purpose-aligned but high-impact if misconfigured.

User impactA paid invoice could lead to real local script execution or public account activity, depending on the configured actions.
RecommendationOnly enable actions you have reviewed, keep commands tightly allowlisted, and require human approval for actions that post publicly or modify important accounts.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
This skill is instruction-only. It expects a trusted installed implementation of the `openclaw-paid-actions` plugin that provides `openclaw_paid_action`.

The artifact does not include the plugin implementation or action scripts; the skill openly depends on separately installed trusted code.

User impactThe real safety of the workflow depends on the installed plugin and action scripts, not just this instruction file.
RecommendationVerify the plugin source and review every configured script before adding the tool to the agent's allowed tools.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
"payTo": "${OPENCLAW_USDC_PAY_TO}", "invoiceSecret": "${OPENCLAW_PAID_ACTIONS_INVOICE_SECRET}", "invoiceStorePath": "${OPENCLAW_PAID_ACTIONS_INVOICE_STORE_PATH}"

The skill requires a payment destination and invoice-signing secret, which are expected for this purpose but sensitive to misconfiguration or disclosure.

User impactA wrong payment address could misdirect funds, and a leaked invoice secret could undermine invoice integrity.
RecommendationStore the invoice secret securely, restrict access to the invoice store path, and verify the USDC recipient address before enabling production use.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceMediumStatusNote
SKILL.md
`invoice`: Create a signed invoice token for an action/input ... Invoice execution uses the input embedded in the invoice token.

Action input can be persisted in signed invoice state and later reused for execution. This is expected, but users should avoid storing sensitive or unreviewed content in invoices.

User impactSensitive or unsafe action input could be retained in invoice records and later passed to an action script.
RecommendationAvoid putting secrets in paid-action inputs, set retention controls on invoice storage, and validate inputs inside each action script.