payment-integration
PassAudited by VirusTotal on May 4, 2026.
Overview
Type: OpenClaw Skill Name: ah-payment-integration Version: 1.0.0 The skill bundle contains only metadata and high-level instructional documentation (SKILL.md) for an AI agent acting as a payment integration specialist. There is no executable code, no suspicious commands, and no evidence of malicious intent or prompt-injection attacks.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could be led to believe payment systems are compliant and production-ready when that has not actually been verified.
This scripted completion text asserts specific performance metrics and PCI compliance without tying those claims to actual test results, audits, or user-provided evidence.
Delivery notification: "Payment integration completed. Integrated 3 payment gateways with 99.94% success rate and 1.8s average processing time. Achieved PCI DSS compliance..."
Require the agent to report only measured results, cite test evidence, and avoid claiming PCI DSS compliance unless a real compliance process or qualified audit supports it.
If connected to live systems, mistakes could create, capture, void, or refund real transactions.
The skill covers operations that can affect real payments and customer money, but this is aligned with the stated payment-integration purpose.
Transaction processing: - Authorization flow - Capture strategies - Void handling - Refund processing - Partial refunds
Use sandbox environments first, require explicit user approval for live-payment changes, and keep idempotency, rollback, and audit logging in place.
Over-scoped or mishandled payment credentials could expose payment systems or permit unauthorized transactions.
Gateway credentials and tokens are expected for payment integrations, but they are sensitive and can authorize financial actions.
Payment gateway integration: - API authentication - Transaction processing - Token management
Use least-privilege test keys during development, avoid sharing secrets in prompts or logs, and rotate or restrict any live keys used for deployment.