Billing
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: billing Version: 1.0.0 The skill bundle provides comprehensive and security-conscious guidance for implementing billing systems. It explicitly warns against common vulnerabilities (e.g., lack of webhook signature verification, storing raw card data) and promotes best practices like PCI-DSS compliance, idempotency, and secure handling of sensitive data. All code snippets demonstrate legitimate API interactions (Stripe, VIES API for VAT validation) for their stated purposes. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, obfuscation, or prompt injection attempts against the AI agent. The `SKILL.md` metadata also indicates no external binaries are required, further reducing execution risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If users copy these examples into production without proper checks, they could unintentionally charge customers or mutate billing state.
This is a live-payment API pattern that could charge a customer if implemented with real credentials. It is expected for a billing skill and is presented as a code example, not an automatic action.
const intent = await stripe.paymentIntents.create({ amount: 5000, currency: 'usd', customer: customerId, payment_method: pmId, off_session: true, confirm: true });Use test mode first, require clear business/user authorization for live charges, add idempotency keys, and review all billing mutations before deployment.
Improper handling of KYC data or connected-account permissions could expose sensitive identity information or affect vendor payouts.
Marketplace onboarding examples involve sensitive KYC identity information and connected-account authority. This is purpose-aligned for marketplace payments, but it requires careful handling.
individual: { first_name: 'Jane', last_name: 'Doe', ssn_last_4: '1234', // Or full SSN, address: { /* ... */ } }Prefer provider-hosted onboarding, minimize locally stored KYC data, restrict Stripe/API credentials to required scopes, and follow applicable privacy and compliance requirements.