Payclaw Io Pub
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill clearly says it helps agents identify themselves and pay, but it runs an unpinned npm MCP server and stores a payment consent key automatically, so it needs careful review before use.
Only install this if you trust PayClaw and are comfortable giving an agent a payment identity and card-request flow. Confirm the npm package source, pin or review the MCP server where possible, verify that every payment requires human approval, and learn how to revoke the stored Consent Key before using real funds.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A changing or compromised npm package could affect the agent component that handles identity and payment actions.
The skill delegates its runtime behavior to an npm package fetched/executed by npx without a pinned version; the provided artifact set contains no implementation code to verify the payment and consent-key behavior.
"command": "npx", "args": ["-y", "@payclaw/mcp-server"]
Install only if you trust the publisher and package provenance; prefer a pinned version, reviewed source, and a reproducible install path for payment-related tools.
A stored consent credential tied to payment capabilities could allow future payment-related actions if it is mishandled or if the MCP server behaves unexpectedly.
The skill creates persistent delegated authorization for a service that can issue payment cards, but the artifacts do not define the key's storage location, scope, lifetime, or revocation process.
Approve on your phone in one tap — your Consent Key is stored automatically.
Before using, confirm where the Consent Key is stored, how to revoke it, what spending limits apply, and whether every card request requires fresh human approval.
If an agent calls the payment tool at the wrong time or with wrong details, it could initiate an unintended payment flow.
The skill exposes a tool for obtaining a virtual Visa card; this is central to the stated purpose and is disclosed, but it is a high-impact action that should remain user-approved.
`payclaw_getCard` | Declare purchase intent → get single-use virtual Visa (Spend)
Use this only with agents configured to ask for clear confirmation before purchase or card issuance.
PayClaw may receive information about merchants you visit through the agent and purchases you ask the agent to make.
The MCP server is configured to communicate with PayClaw's external API; this is expected for the service, but merchant identity, purchase intent, and transaction outcome data may be sent there.
"env": { "PAYCLAW_API_URL": "https://api.payclaw.io" }Review PayClaw's privacy, retention, and audit policies before sending real merchant or purchase data.