Payclaw Badge Pub
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears aligned with its PayClaw badge purpose, but it uses a PayClaw API key and sends badge/trip information to PayClaw, so users should review the credential and data-flow details before installing.
Before installing, confirm you trust PayClaw and the npm package @payclaw/badge, keep PAYCLAW_API_KEY secret, keep PAYCLAW_API_URL set to the documented PayClaw HTTPS endpoint, and be aware that badge use can report merchant and trip outcome information to PayClaw.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing users must provide a PayClaw API key that authorizes badge identity requests for their PayClaw account.
The skill reads a PayClaw API key from the environment and sends it as an authorization credential to the PayClaw API.
const apiKey = process.env.PAYCLAW_API_KEY; ... Authorization: `Bearer ${apiKey}`Use a key intended for this service, keep it out of logs and shared configs, and verify the registry metadata or local MCP config clearly declares PAYCLAW_API_KEY as a secret.
PayClaw may receive information about which merchant the agent interacted with and whether the badge was accepted or denied.
The reporting path sends badge verification token, merchant, outcome, and short detail text to PayClaw.
body: JSON.stringify({ verification_token: token, event_type: eventType, merchant, detail: detail.slice(0, 500), outcome, })Install only if you are comfortable with PayClaw receiving identity declaration and trip outcome data; avoid putting sensitive unrelated details into badge outcome responses.
The code executed at install/run time depends on the current npm package contents, which may change after review.
The documented MCP launch path downloads and runs the npm package without a version pin.
"command": "npx", "args": ["-y", "@payclaw/badge"]
Prefer pinning a known version, review the npm package/repository, and install from a trusted source.
Users may be confused about whether an API key is required and whether a consent credential will be stored locally.
This README claim conflicts with SKILL.md and the included source, which require PAYCLAW_API_KEY and do not show a device-auth storage flow.
No API key required. On first use, your agent will show a code and URL — approve on your phone in one tap, and your Consent Key is stored.
Rely on the actual MCP configuration and source behavior when deciding what credentials to provide; maintainers should reconcile the README, SKILL.md, server.json, and code.