Acp Agentic Commerce
PassAudited by ClawScan on May 13, 2026.
Overview
This appears to be a documentation-focused ACP commerce implementation helper, with no evidence of hidden credential theft, exfiltration, persistence, or destructive behavior in the provided artifacts.
This skill looks safe to install as an ACP development reference. Expect it to use web searches/fetches for official ACP/OpenAI/Stripe documentation and be careful with any real commerce credentials or payment flows in projects you build with it. The review confidence is medium because some listed file contents were omitted or truncated in the supplied artifact text.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may browse official ACP, OpenAI, Stripe, GitHub, and related documentation before producing code.
The skill directs the agent to use web search/fetch before coding. This is disclosed and aligned with keeping ACP implementations current, but it does force external lookup behavior.
Before writing any ACP implementation code, you MUST web-search and/or web-fetch the relevant official documentation.
Allow web access only if you are comfortable with that workflow, and prefer the listed official sources when using this skill.
Projects built with this guidance may handle API tokens, Stripe credentials, payment tokens, or other commerce secrets.
The implementation guidance covers authenticated commerce APIs that use bearer tokens. This is expected for ACP checkout integrations, and the artifact does not show hardcoded or exfiltrated credentials.
Authorization: Bearer <token> — REQUIRED
Use test credentials during development, store secrets in environment variables or a secrets manager, and avoid pasting live payment credentials into prompts.
If the host wires this hook, it may inspect newly written or edited code for secrets and display a security notice.
The bundle includes an executable Python helper intended to run as a post-tool-use hook and inspect Write/Edit content for hardcoded payment secrets. The script shown only emits a local warning and does not transmit data.
"""PostToolUse hook: detect hardcoded Stripe/ACP payment secrets in written code."""
Review local hook configuration before enabling it; the provided script appears limited to local secret-pattern checks.