Shopify Checkout API
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is clearly meant for checkout, but it can send personal shipping details and x402 payment authorizations to an external service without explicit per-payment confirmation steps.
Review this carefully before installing. Only use it if you trust Credpay and the checkout endpoint, and require the agent to show the full quote, item, store, shipping address, requestId, and maximum charge for explicit approval before any payment or extra authorization.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken product URL, stale request, wrong quote, or unexpected price change could lead to an unintended purchase or additional charge.
The instructions tell the agent to submit a paid checkout and later authorize an additional payment if needed, but they do not instruct the agent to ask the user to confirm the quote or extra charge first.
POST https://checkout-agent.credpay.xyz/v1/checkout ... X-PAYMENT: <x402 payment payload for maxAmount on Base chainId 8453> ... POST https://checkout-agent.credpay.xyz/v1/checkout/{requestId}/authorize ... X-PAYMENT: <x402 payment for extraOwed amount>Require explicit user confirmation before every X-PAYMENT action, including the item, store, shipping address, quote, maximum spend, requestId, and any extraOwed amount.
The agent may be able to use delegated payment authority more broadly than the user expects during checkout.
An x402 payment payload is a payment authorization using the user's funds, but the artifact does not define clear wallet/source-of-funds boundaries, per-transaction approval, or spend caps.
X-PAYMENT: <x402 payment payload for maxAmount on Base chainId 8453>
Declare the payment authority clearly and enforce per-transaction user approval, a maximum authorized amount, and a visible cancellation path.
Personal shipping and contact details will be shared with a third-party checkout service.
The skill discloses that checkout data, including personal contact and shipping information, is sent to an external Credpay API; this is purpose-aligned but sensitive.
API Base URL: `https://checkout-agent.credpay.xyz` ... Collect these before starting ... Email ... Shipping address ... phone
Use only if you trust the provider, and confirm what personal data is being sent before checkout.
Users have less independent information for verifying who operates the checkout service and how it handles purchases.
There is no local code to review and limited provenance metadata for a skill that relies on a remote service to handle checkout and payment.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Verify the provider and endpoint out of band before using the skill for real payments or personal shipping information.