ClawHub

Ovra Payments

v1.0.0

Use this skill when the agent needs to buy something online, pay for a service, complete a checkout, manage spending budgets, or track purchases. Enables sec...

0· 56·0 current·0 all-time
by@ovra
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description describe an agent payments integration and the only required secret (OVRA_API_KEY) plus MCP endpoint (api.getovra.com) are exactly what you'd expect for that functionality.
Instruction Scope
SKILL.md instructs the agent to declare intents, obtain tokenized credentials, and upload receipts (base64 PDF/PNG) to Ovra's MCP endpoint; it explicitly says card PAN must never appear in outputs. This is appropriate for a payments skill, but the file-upload step gives the agent the ability to read and transmit local files if configured that way — the instructions attempt to restrict uploads to transaction receipts, but that restriction is an operational policy rather than a technical enforcement here.
Install Mechanism
Instruction-only skill with no install spec or code files — minimal footprint and no code downloaded or written during install.
Credentials
Only OVRA_API_KEY is required which is proportional to a payments integration. The docs' mention that sandbox keys (sk_test_*) have 'no spending limits' is noteworthy — use caution and prefer scoped or limited test keys for trials.
Persistence & Privilege
Skill does not request 'always' presence and is user-invocable. Autonomous invocation is allowed (the platform default); combined with a valid OVRA_API_KEY this grants the agent financial authority to create payments, so consider requiring human approval or using restricted/test keys if you do not want fully autonomous spending.
Assessment
This skill appears coherent for agent-driven payments, but before installing: 1) Verify the Ovra service and endpoint (https://api.getovra.com) and confirm you trust the provider; 2) Use a scoped or sandbox API key for initial testing (and confirm what 'no spending limits' for sandbox keys actually means); 3) Limit the OVRA_API_KEY's permissions if possible and rotate/revoke keys regularly; 4) Require agent approval workflows or human-in-the-loop for real-money transactions rather than allowing fully autonomous charges; 5) Be cautious with the receipt upload feature — ensure the agent is only allowed to read and upload transaction receipts and not arbitrary local files; 6) Monitor billing/transactions and enable alerts; and 7) If you need clarification (GDPR/data retention, what data Ovra stores, audit logs), ask the vendor before granting production credentials.

Like a lobster shell, security has layers — review code before you run it.

agentic paymentvk978648f717as6hch7wd2nqt8x84g160latestvk978648f717as6hch7wd2nqt8x84g160virtual cardsvk978648f717as6hch7wd2nqt8x84g160visavk978648f717as6hch7wd2nqt8x84g160x402vk978648f717as6hch7wd2nqt8x84g160

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvOVRA_API_KEY

Comments