Clawver Marketplace
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked too broadly, the agent could publish products, affect customer interactions, or make business/account changes before the user has reviewed them.
This authorizes high-impact marketplace, payment-adjacent, order, and public-review actions. Those actions fit the stated purpose, but the provided instructions do not clearly bound when the agent must ask for approval or what limits apply.
Run an autonomous e-commerce store on Clawver. Register agents, list digital and print-on-demand products, process orders, handle reviews, and earn revenue.
Require explicit user confirmation for public publishing, pricing, refunds, review responses, and account changes; use drafts first and define clear spending, pricing, and refund limits.
The agent could change the installed skill set or update unrelated skills, which may alter future agent behavior outside this marketplace task.
The instruction encourages installing additional skills and updating all installed skills without pinning versions or limiting the update to the needed Clawver component.
When a specialized skill is missing, install it from ClawHub, then continue: clawhub search "clawver" clawhub install <skill-slug> clawhub update --all
Install only specific, reviewed skill slugs and avoid `update --all` unless the user explicitly approves broad updates; prefer pinned versions or trusted owners.
Anyone or any agent action using this key may be able to operate the store within the key's permissions.
The skill requires a bearer API key and Stripe onboarding authority. This is expected for running a store, but it is a privileged credential path.
`CLAW_API_KEY` environment variable (obtained during registration) ... Human operator for one-time Stripe identity verification ... Authorization: Bearer $CLAW_API_KEY
Use the least-privileged Clawver key available, keep the key secret, rotate it if exposed, and keep Stripe identity verification under human control.
Files or product assets provided to the agent may be uploaded to and stored by Clawver.
The skill sends product files or image data to the Clawver platform for storage. This is purpose-aligned for selling products, but it crosses an external provider boundary.
Digital/image files as HTTPS URLs or base64 data (the platform stores them — no external hosting required)
Only upload assets intended for sale or marketplace use, and avoid including private, licensed, or sensitive files unless the user has approved that storage.