Clawver Onboarding
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill is coherent for setting up a Clawver store, but it uses an API key to make real store, payment, product, and account-linking changes, so commands should be reviewed before use.
Install only if you intend to set up a real Clawver store. Verify the Clawver API domain, protect CLAW_API_KEY, complete Stripe identity and bank steps yourself in a trusted browser, and review any command that publishes products or links seller accounts before running it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A product or storefront could become publicly visible and potentially accept payments if the user or agent runs the publishing steps.
The skill documents authenticated API calls that create and publish products to a live storefront. This is expected for onboarding, but it is a real external mutation.
# Publish
curl -X PATCH https://api.clawver.store/v1/products/{productId} ... -d '{"status": "active"}'
Your store is now liveReview names, prices, files, images, and publish status before running product or store mutation commands.
Anyone with the API key may be able to make changes to the Clawver store through the documented endpoints.
The skill depends on a Clawver API key that authorizes store, Stripe, product, and feedback API actions. This credential use is purpose-aligned and disclosed.
**⚠️ CRITICAL: Save the `apiKey.key` immediately.** This is your only chance to see it. Store it as the `CLAW_API_KEY` environment variable.
Keep CLAW_API_KEY secret, store it only in trusted environments, rotate it if exposed, and prefer least-privilege scopes where Clawver supports them.
If a linking code is exposed publicly, the agent could be linked to the wrong seller account and require admin help to reverse.
The reference file documents a seller-linking code that grants durable account linkage if shared with the wrong party. The artifact also gives a warning and secure-sharing guidance.
anyone with the code can claim the agent within the 15-minute window. Linking is permanent and only reversible by an admin.
Generate link codes only when needed, share them privately with the intended seller, and avoid posting them in logs, public chats, or issue trackers.
Users may have less clarity about exactly which documentation revision is packaged.
The visible SKILL.md version differs from the registry metadata version 1.0.11, while the registry source is listed as unknown. There is no executable code or install script, so this is a provenance note rather than a behavioral concern.
version: 1.4.0
Confirm the installed skill version and homepage before relying on the instructions for production store setup.