Usage Tracker
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This billing tracker is purpose-aligned, but it embeds a real-looking SkillPay API key and can make charge requests without a clear credential or approval boundary.
Treat this as a review-before-install skill. The basic purpose is coherent, but it should not ship with a hardcoded billing API key or be able to charge through SkillPay without explicit credential setup and per-charge confirmation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Billing requests may run under an unknown embedded SkillPay credential rather than a user-controlled, explicitly configured account.
The skill uses a hardcoded SkillPay API key if no environment key is present, giving the installed skill billing authority tied to an embedded/unknown credential.
this.skillPayApiKey = process.env.SKILL_BILLING_API_KEY || 'sk_2842f59e03e64e418c15771b0928c3f94a1f1da73ae7e72adc8f483e9f6fe6b1';
Do not install until the hardcoded key is removed, credentials are declared in metadata, and setup requires a user-provided scoped API key.
A mistaken or autonomous invocation could create a real billing transaction or account charge through SkillPay.
The command path can send an external charge request using a command-supplied amount, with no artifact evidence of confirmation, maximum amount, or reversal controls.
const amount = parseFloat(args[1]) || 0.001; const chargeResult = await tracker.chargeUser(user, amount); ... const result = await this.callSkillPayAPI('/charge', params);Require explicit user confirmation for every charge, enforce a small maximum amount, validate the feature and amount, and document how failed or mistaken charges are handled.
Users may believe no sensitive credential or billing authority is involved, even though the skill can authenticate to a billing provider.
The registry declares no credential requirement, but the code reads SKILL_BILLING_API_KEY and embeds a fallback key for SkillPay billing.
Required env vars: none; Env var declarations: none; Primary credential: none
Update metadata and documentation to clearly declare the SkillPay credential, remove the embedded fallback, and explain exactly what billing actions the skill can perform.
Your usage and billing identifiers may be shared with SkillPay.me when billing, balance, or payment-link commands are used.
The skill sends user_id, skill_id, amount, and related billing parameters to the external SkillPay provider, which is expected for the stated billing purpose but should be visible to users.
const BILLING_URL = "https://skillpay.me/api/v1/billing"; ... body: JSON.stringify(params)
Review SkillPay.me’s trust and privacy posture before use, and ensure the skill only sends the minimum billing data needed.