Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
x402 Commerce Kit: Merchant Starter Kit + Payment Rails Guide + Security Hardening
v1.3.1Launch a crypto-native storefront from scratch. Includes the x402 Merchant Starter Kit (deployable code), agent payment rails playbook, and commerce security...
⭐ 0· 90·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The metadata promises a deployable 'Merchant Starter Kit' and production code, but there are no code files or install steps. At the same time the skill requires multiple credentials (GITHUB_TOKEN, STRIPE_API_KEY, AGENT_SIGNING_KEY, DASHBOARD_SECRET, etc.) that would give broad operational control. Requiring all of these secrets is disproportionate to what's actually packaged (only an instruction/metadata file).
Instruction Scope
SKILL.md contains only metadata and a bundle listing; it provides no concrete runtime instructions for safe use. Because it lacks explicit, scoped runtime steps, it's ambiguous what the agent is expected to do with the declared credentials — the instructions do not constrain or justify access to the listed secrets.
Install Mechanism
No install spec and no code files are present, so nothing will be downloaded or written by an installer. That reduces some supply-chain risk, but it also means the skill’s claim of deployable code is unsupported.
Credentials
The skill requires multiple sensitive environment variables: GITHUB_TOKEN (primary), STRIPE_API_KEY, AGENT_SIGNING_KEY, DASHBOARD_SECRET, GREENHELIX_API_KEY, and WALLET_ADDRESS. While a GitHub token and payment key might be reasonable for deployment and payment integration, AGENT_SIGNING_KEY and DASHBOARD_SECRET are highly sensitive and not justified by the provided content. Combined, these credentials would permit repository access, payment operations, admin dashboard access, and signing authority — an excessive and risky set for an instruction-only bundle.
Persistence & Privilege
The skill does not request 'always: true' and is user-invocable only. Autonomous invocation is enabled by default (not flagged alone), but given the broad credential requirements this increases potential impact if the agent acts without tight constraints. The skill does not appear to modify other skills or system-wide settings.
What to consider before installing
Do not provide high-privilege secrets to this skill without further verification. Ask the publisher for the following before installing: (1) the actual deployable code repository or release URL, (2) a clear, step-by-step runtime plan explaining exactly which credential is used for which action, and (3) minimal required scopes for any token. If you must test it, create least-privilege, ephemeral tokens (scoped GitHub token limited to a single repo, Stripe test keys, a throwaway wallet and dashboard account) and run in an isolated environment. Avoid supplying AGENT_SIGNING_KEY or any admin/dashboard secret unless you can inspect the code and confirm necessity. Rotate any keys you exposed during testing.Like a lobster shell, security has layers — review code before you run it.
ai-agentvk979e41snr6sh1cr4r8f56ss6n84w1y8bundlevk979e41snr6sh1cr4r8f56ss6n84w1y8codevk979e41snr6sh1cr4r8f56ss6n84w1y8greenhelixvk979e41snr6sh1cr4r8f56ss6n84w1y8guidevk979e41snr6sh1cr4r8f56ss6n84w1y8latestvk979e41snr6sh1cr4r8f56ss6n84w1y8openclawvk979e41snr6sh1cr4r8f56ss6n84w1y8paymentsvk979e41snr6sh1cr4r8f56ss6n84w1y8securityvk979e41snr6sh1cr4r8f56ss6n84w1y8starter-kitvk979e41snr6sh1cr4r8f56ss6n84w1y8x402vk979e41snr6sh1cr4r8f56ss6n84w1y8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvGITHUB_TOKEN, WALLET_ADDRESS, DASHBOARD_SECRET, GREENHELIX_API_KEY, AGENT_SIGNING_KEY, STRIPE_API_KEY
Primary envGITHUB_TOKEN