Obverse Payments
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill mostly matches its payment-link purpose, but it handles payment credentials and contains a flagged hardcoded password-like secret in the CLI that should be reviewed before use.
Install only after reviewing the full CLI source around the reported hardcoded password. If you proceed, use a dedicated Obverse API key, confirm all payment amounts and customer fields before the agent creates links or records, and avoid collecting unnecessary customer information.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent process with this key may be able to create links, view payment data, or use other Obverse account capabilities allowed by that key.
The skill uses a provider API key from the environment and sends it to Obverse for authenticated payment operations.
const API_KEY = process.env.OBVERSE_API_KEY; ... 'X-API-Key': API_KEY
Use a dedicated least-privilege Obverse key, keep the OpenClaw config file private, monitor usage, and rotate the key if exposed.
A hardcoded or shared dashboard password could expose account/payment data or cause users to rely on unsafe credentials.
The static scan reports a hardcoded password-like secret in executable CLI code; this is not explained by the payment-link purpose or setup docs.
Static scan at obverse-cli.js:556: password: [REDACTED],
Inspect the full obverse-cli.js source around the reported line, remove any real hardcoded secret, and generate credentials per user/session through the provider instead.
If invoked with wrong parameters, the agent could create incorrect invoices, payment links, or records.
The CLI can create payment links and other payment records through POST requests, which is central to the stated purpose but mutates financial/business data.
makeRequest('/payment-links', { method: 'POST', body: JSON.stringify({ amount: parseFloat(amount), token: currency, chain: chainValidation.chain, description, customFieldsRequire explicit user confirmation for amounts, chain, token, recipient/customer fields, and any submit-payment action.
Customer personal information and payment details may be stored by Obverse and surfaced to the agent/user.
The skill is designed to collect customer information through payment links and make it available in dashboards.
Gather email, name, phone, or ANY custom fields you need ... View customer emails, names, and payment details!
Collect only necessary fields, disclose collection to customers, and review Obverse retention/privacy controls before using custom fields.
Installation may be ambiguous, and users may not know exactly which helper code or binaries are required.
The registry install contract is incomplete relative to the included executable helper files and documented CLI/script usage.
No install spec — this is an instruction-only skill. ... Code file presence: 2 code file(s): obverse-cli.js; scripts/obverse-client.sh
Publish a clear install spec and keep registry requirements aligned with package/clawhub metadata before relying on the CLI.