payrail402
PassAudited by ClawScan on May 1, 2026.
Overview
The skill coherently implements PayRail402 spend tracking, but users should understand that it sends transaction metadata and PayRail402 credentials to a remote service.
This appears safe to install if you want PayRail402 to track your agent's spending. Before installing, verify the PayRail402 account and endpoint, configure only the auth method you need, keep tokens/API keys private, and make sure your agent only calls the tracking tool for real transactions you want recorded.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Providing both auth methods when only one is needed gives the skill more PayRail402 credential material than necessary.
The skill uses PayRail402-specific credentials, which is expected for this integration, but the credential requirement is broader than the setup text that says either webhook auth or API-key auth is sufficient.
requires:\n env:\n - PAYRAIL402_WEBHOOK_TOKEN\n - PAYRAIL402_API_KEY\n - PAYRAIL402_AGENT_ID ... You only need one auth method.
Use the least-privileged PayRail402 credential needed for your workflow, and avoid configuring unused tokens or API keys if the platform allows optional credentials.
Sensitive spend and transaction metadata will leave the local agent environment and be stored or processed by PayRail402.
The track tool sends transaction details, merchant/category information, mandate references, proof hashes, and a webhook credential to the configured PayRail402 API endpoint.
const payload = { amount: input.amount, description: input.description, merchant: input.merchant, category: input.category, rail: input.rail || "manual", mandate: input.mandate, proofHash: input.proofHash }; ... fetchJSON(`${baseUrl}/api/ingest/webhook/${config.webhookToken}`, { method: "POST", body: payload });Install only if you intend PayRail402 to receive this transaction data, and avoid including unnecessary sensitive details in descriptions or metadata fields.
Incorrect or unintended tool calls could create false spend records or alerts in the PayRail402 dashboard.
Calling the tracking tool changes remote dashboard state and can affect budget evaluation and alerting, which is expected for the skill but should be invoked only for accurate transactions.
When you call `payrail402_track`, the PayRail402 backend:\n\n1. Records the transaction with full metadata\n2. Updates agent spend stats ...\n3. Evaluates budget rules ...\n5. Sends alerts to the dashboard
Configure agent policy so transaction tracking is performed after real, user-authorized financial operations and with accurate amounts and descriptions.