Paddle
ReviewAudited by ClawScan on May 10, 2026.
Overview
This Paddle skill looks purpose-aligned and not malicious, but it needs Paddle account credentials and keeps local integration notes, so use sandbox and keep secrets out of its memory file.
Install this only if you intend to work on Paddle billing. Use sandbox mode first, keep API keys and webhook secrets in environment variables or a secret manager, review any live customer or subscription mutation before it runs, and only install the optional Paddle CLI if you need webhook testing.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with a production Paddle key, actions can read or change customer, transaction, and subscription records.
The skill uses a Paddle API key for account actions, including subscription cancellation. This is expected for a payments integration, but it is high-impact authority over billing data.
curl -X POST https://api.paddle.com/subscriptions/sub_xxx/cancel \ -H "Authorization: Bearer $PADDLE_API_KEY"
Use sandbox keys first, keep the API key in an environment variable or secret manager, and require explicit confirmation before creating, canceling, pausing, or resuming live subscriptions.
Secrets or sensitive billing identifiers placed in persistent memory could be reused in later sessions or exposed to anyone who can read that local file.
The skill keeps persistent local memory and one line ambiguously suggests API keys may be stored there, even though other files advise using environment variables and no visible config keys.
Memory lives in `~/paddle/` ... `memory.md # API keys, environment, product IDs`
Do not store Paddle API keys or webhook secrets in `~/paddle/memory.md`; keep only non-secret integration notes there and use environment variables or a secret manager for credentials.
Installing the CLI globally can add executable code to the local environment outside this instruction-only skill.
The optional webhook testing workflow installs a global npm package. This is relevant to the stated purpose, but global package installation is still a supply-chain surface.
npm install -g @paddle/paddle-cli
Install the Paddle CLI only if needed, verify it is the official package, and prefer a development environment when testing webhook forwarding.