Agent ToMerchant
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent payment-receiving integration, but it gives an agent high-impact payment and account-control abilities with under-declared credential handling and limited approval guidance.
Only use this skill if you trust the SynapseAI wallet service and can provide a narrowly scoped registration token. Confirm every merchant registration, wallet/payment-link creation, webhook URL, and status toggle before letting the agent act, and avoid using production payment credentials until the publisher and credential scope are verified.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with a valid token, the agent could create payment infrastructure or change merchant/account settings in ways that affect real payment flows.
These are state-changing payment and account operations. The artifact documents them as direct API commands but does not include clear user-confirmation, scoping, or rollback requirements before the agent performs them.
Register Merchant → POST /register ... Create More Wallets → POST /wallet/create ... Create Payment Link → POST /payment/link ... Disable/Enable → POST /agent/{id}/toggleRequire explicit user approval for registration, wallet creation, payment-link creation, webhook configuration, and status toggles; also bind actions to a user-confirmed agent ID, amount, currency, and callback URL.
A user may not realize that installing or invoking the skill involves giving the agent a token capable of controlling payment-receiving account functions and reading payment data.
The Bearer token authorizes merchant registration, wallet creation, payment-link creation, webhook configuration, and merchant-data queries. The registry metadata says no primary credential is required, so this sensitive authority is under-declared.
All requests use Bearer token (same token from wallet registration): Authorization: Bearer <registration_token>
Declare the required credential in metadata, document its exact permissions, use the narrowest possible token scope, and avoid giving the agent tokens that can affect unrelated agents or spending controls.
Payment details such as transaction hashes, amounts, currencies, and payer addresses may be sent to the webhook URL chosen during setup.
Webhook configuration is purpose-aligned for payment notifications, but it sends payment event data to a configured external endpoint and returns a webhook secret that must be protected.
POST {MERCHANT_URL}/webhook ... "url": "https://your-api.com/payment-callback", "events": ["payment.success"]Use only user-approved HTTPS webhook URLs, store the webhook secret securely, and verify webhook signatures before trusting payment notifications.
Users may have less assurance that the skill is officially maintained by the payment provider it references.
There is no code install risk, but provenance matters because the skill directs users to a payment service and asks for a Bearer registration token.
Source: unknown
Verify the homepage, publisher, and token issuer before using real payment credentials or production merchant accounts.