Back to skill
Skillv0.1.5
ClawScan security
Reva · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 25, 2026, 5:24 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (passwordless wallet auth, PayID claiming, balance queries, and transfers); it calls revapay.ai endpoints and stores a local access token, which is expected behavior for this functionality.
- Guidance
- This skill appears to do what it says: it will send your email/OTP and transaction requests to https://api.revapay.ai and store an access token and small state under ~/.openclaw/payid. Before installing: 1) Confirm you trust revapay.ai and its privacy/security practices (this skill sends sensitive auth and transaction data to that domain). 2) Ensure jq and curl are available. 3) Be careful when authorizing transfers — verify recipient and amount because blockchain transfers are irreversible. 4) Note the token is stored on disk (auth.json) with restrictive permissions; if you share a machine, consider whether that storage is acceptable. 5) If you need higher assurance, review the remote service's docs or contact the vendor to confirm endpoints and behavior.
Review Dimensions
- Purpose & Capability
- okName/description (Reva wallet management, passwordless auth, PayID, multi-chain transfers) align with the scripts and runtime instructions. All network calls are to api.revapay.ai and the scripts implement login/verify, claim payid, get-balance, get-user-info, send-message, and transfer-funds as described.
- Instruction Scope
- noteSKILL.md and scripts are focused on the wallet workflow. The skill asks for user email/OTP and stores an access token for subsequent calls; it will transmit email, OTP, token, recipient and amount to revapay.ai endpoints. It does not attempt to read unrelated system files, environment variables, or other credentials. Note: the skill stores token and some state under $HOME/.openclaw/payid and posts data to the external revapay.ai API as part of normal operation.
- Install Mechanism
- okNo install/download steps; code is instruction-only with included shell scripts. Dependencies declared (jq, curl) are reasonable for the tasks performed. No remote downloads or archives are executed by an installer.
- Credentials
- okNo environment variables or unrelated credentials are requested. The scripts write and read token/state under $HOME/.openclaw/payid (auth.json, room_state.txt) — this is proportional for storing session tokens and state. All network requests go to the service domain in the skill description.
- Persistence & Privilege
- okalways: false and the skill does not modify other skills or system-wide settings. It persists only its own state under the user's home directory (~/.openclaw/payid). Files are created with restrictive permissions (700 for dir, 600 for auth file/room state) which is appropriate for stored tokens.