Payments
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent instruction-only payments guidance skill with no code, install step, or credentials, though its advice touches live billing operations and payment-event logging that users should handle carefully.
This appears safe to install as a reference skill. When using it to implement real payments, keep work in test mode until reviewed, require explicit approval for live billing or subscription changes, never store card data, and avoid retaining raw payment webhook logs unless they are redacted and access-controlled.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these workflows are applied to a live system without review, they could affect customer billing or access.
The skill discusses actions that can affect payments, customer access, and refunds. This is expected for a payments integration guide, and no tool or credential is provided, but production use should be controlled.
`payment_intent.succeeded` | Fulfill order, grant access ... `customer.subscription.deleted` | Revoke access ... `charge.refunded` | Reverse fulfillment
Use provider test mode first, require human approval for live charges/refunds/subscription changes, and keep webhook handlers idempotent and reversible.
Payment-related logs could retain sensitive customer or transaction information longer than intended.
Raw payment webhook payloads can include customer or transaction metadata. Logging them may be useful for debugging, but should be minimized, redacted, access-controlled, and expired.
Log raw payloads for debugging
Log only what is necessary, redact sensitive fields, restrict log access, set retention limits, and follow the skill's other guidance not to log or store card data.