Ucp Checkout Rest
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: ucp-checkout-rest Version: 1.0.0 The skill bundle provides legitimate architectural guidance and implementation instructions for the Universal Checkout Protocol (UCP) REST binding. It outlines standard API operations, header requirements (including cryptographic signatures), and error handling logic. The instructions to fetch live specifications from ucp.dev are consistent with the stated purpose, and there are no signs of malicious code, data exfiltration, or harmful prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generated client could update checkout sessions and complete purchases if connected to a real merchant and payment credential.
The skill directs an agent/client toward mutating checkout state and completing a checkout. This is expected for a checkout protocol, but completion can create orders or purchases.
The agent's job is to drive the session from `incomplete` to `ready_for_complete` by resolving messages, then call complete.
Require explicit buyer approval before completing checkout, show final totals and terms, and enforce spending limits, idempotency, and audit logging.
Payment credentials or signing material could authorize real financial transactions if mishandled.
The protocol flow involves obtaining and using a payment credential, which is privileged financial authority. The artifact does not show misuse, but implementations need careful scoping.
When `ready_for_complete`: acquire payment credential, call complete
Use tokenized or least-privilege payment credentials, protect request-signing keys, never log credentials, and clearly separate test and production checkout environments.
If the wrong page or compromised documentation were followed, generated checkout code could implement incorrect or unsafe behavior.
The skill relies on live online specification content. This is reasonable for keeping protocol details current, but dynamic web content should be verified before being used to generate payment-related code.
Fetch live spec: Web-search `site:ucp.dev specification checkout-rest` and fetch the page for the exact current endpoint shapes
Use the official HTTPS UCP documentation, record the spec version used, and review generated code before deploying it.