Agent Payments
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent payment skill, but it can create, send, refund, and batch-process real payments without clear built-in approval limits or credential scoping.
Only install this if you intentionally want an agent to help operate real payment rails. Start with test credentials, use restricted keys, set spending and batch limits, and require manual confirmation before any charge, invoice send, refund, crypto transfer, payroll batch, or x402 paid call.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with mistaken or manipulated parameters, the agent could send invoices, request refunds, or initiate crypto payment workflows affecting real money.
The helper directly performs high-impact payment actions, including finalizing/sending invoices and initiating Spraay sends, without an artifact-backed confirmation, dry-run, amount limit, or recipient/customer validation step.
curl -s -X POST "$STRIPE_URL/invoices/$inv_id/finalize" ...; curl -s -X POST "$STRIPE_URL/invoices/$inv_id/send" ...; curl -s -X POST "$SPRAAY_URL/api/send" ...
Require explicit user confirmation for rail, amount, currency, recipient/customer, and purpose before any live payment action; add dry-run previews, validation, and safe defaults.
A compromised or over-capable agent session could use payment credentials to mutate the user's Stripe or Coinbase Commerce account within the key's permissions.
The skill asks for live payment-provider credentials that can authorize account-level financial operations, but the artifacts do not clearly limit those credentials to test mode, restricted scopes, or narrowly approved operations.
export STRIPE_SECRET_KEY="sk_live_..." export COINBASE_COMMERCE_API_KEY="..."
Use test keys by default, restricted API keys where available, separate accounts for automation, spending/operation limits, and clear credential declarations in metadata.
The agent could make paid calls to external agent/provider endpoints and potentially send prompts or task data outside the user's environment without clear boundaries.
The reference describes automatic agent-to-agent micropayments over HTTP headers, but does not define identity checks, spending controls, data boundaries, or approval requirements for those inter-agent/provider calls.
x402 is an HTTP-native payment protocol... Your agent's x402 client handles payment automatically via HTTP headers.
Require explicit approval and spending caps for x402 calls, disclose what data is sent to each endpoint, and verify endpoint identity before payment.
A single bad batch file could cause many incorrect payroll or contractor payments rather than one isolated mistake.
The batch-payment path posts an entire recipients file to the payment gateway, so one wrong, stale, or poisoned file could affect many recipients at once; the artifacts do not show review, limits, or containment.
recipients=$(cat "$file") curl -s -X POST "$SPRAAY_URL/api/batch" ... "recipients": $recipients
Add recipient-count and amount limits, checksum or preview review, explicit approval for the full batch, and a requirement to verify each address and amount before submission.