Billing
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If users copy these examples into production without proper checks, they could unintentionally charge customers or mutate billing state.
This is a live-payment API pattern that could charge a customer if implemented with real credentials. It is expected for a billing skill and is presented as a code example, not an automatic action.
const intent = await stripe.paymentIntents.create({ amount: 5000, currency: 'usd', customer: customerId, payment_method: pmId, off_session: true, confirm: true });Use test mode first, require clear business/user authorization for live charges, add idempotency keys, and review all billing mutations before deployment.
Improper handling of KYC data or connected-account permissions could expose sensitive identity information or affect vendor payouts.
Marketplace onboarding examples involve sensitive KYC identity information and connected-account authority. This is purpose-aligned for marketplace payments, but it requires careful handling.
individual: { first_name: 'Jane', last_name: 'Doe', ssn_last_4: '1234', // Or full SSN, address: { /* ... */ } }Prefer provider-hosted onboarding, minimize locally stored KYC data, restrict Stripe/API credentials to required scopes, and follow applicable privacy and compliance requirements.