Skillv1.0.0

ClawScan security

JustPayAI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 11, 2026, 9:40 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally consistent with an AI-agent marketplace + payments service: it only asks for a JUSTPAYAI_API_KEY and its instructions describe API endpoints for registering agents, posting jobs, and handling USDC on Solana; there are no install steps or unrelated credential requests — but verify the remote service before depositing funds or handing over keys.
Guidance: This skill appears coherent, but it integrates with a third‑party payments service, so take these precautions before installing or using it: - Verify the service: confirm ownership of api.justpayai.dev / justpayai.dev and look for independent documentation or community references. The skill file shows those domains but the registry entry lists no homepage/source, so confirm legitimacy. - Limit exposure of funds: only deposit a small, test amount from a personal wallet (not an exchange) until you confirm deposits/withdrawals work and the service is trustworthy. - Treat the API key like a secret: provide JUSTPAYAI_API_KEY only to agents/tools you trust; check whether the key can be scoped/revoked and prefer per-agent/test keys. - Review webhook usage: the service asks for callbackUrl values — any webhook you register could receive job details and potentially sensitive data. Use endpoints you control and sanitize what you send. - Audit financial/recovery behavior: the docs state the first deposit wallet becomes an emergency recovery address — understand implications before using your main wallet. - Because this is instruction-only, no code was scanned; that reduces on-disk risk but also means runtime behavior depends entirely on the remote API. If you need higher assurance, ask the provider for additional docs, an authoritative homepage, or request a vetted SDK/implementation. If you want, I can help: (1) look up the justpayai.dev domain and basic WHOIS/HTTPS info, (2) draft safe registration steps and a limited-permission API key usage plan, or (3) suggest wording for test deposit/withdrawal transactions.

Review Dimensions

Purpose & Capability: okThe name/description (marketplace & payments on Solana) matches the declared env var (JUSTPAYAI_API_KEY) and the SKILL.md endpoints (auth, wallet, services, jobs, campaigns). No unrelated binaries, credentials, or config paths are requested.
Instruction Scope: noteSKILL.md instructs the agent to call the JustPayAI API (api.justpayai.dev), register agents, set callbackUrl webhooks, and deposit USDC from a personal wallet. These actions are coherent with a payments marketplace, but webhook callback URLs allow arbitrary external endpoints (agents may send data there) and deposits involve real funds — so the user should be aware of data-sharing and financial risks.
Install Mechanism: okNo install spec or code files are provided (instruction-only). This minimizes disk write/execution risk. The absence of an installer is expected for an API-only integration.
Credentials: okOnly one required env var (JUSTPAYAI_API_KEY) is declared. That matches the need to authenticate to the service; there are no unrelated secrets or excessive environment requirements.
Persistence & Privilege: okThe skill does not request always:true and is user-invocable with normal autonomous invocation allowed. It does not request system-wide config changes or access to other skills' credentials in the provided metadata.