Payments
Integrate payments with provider selection, checkout flows, subscription billing, and security best practices.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 2 · 668 · 2 current installs · 2 all-time installs
byIván@ivangdavila
MIT-0
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description match the contents: provider comparison, integration patterns, subscription management, and security guidance. The skill does not request unrelated binaries, credentials, or config paths.
Instruction Scope
SKILL.md and the included docs stay within the remit of payment integration best practices (webhooks, idempotency, PCI guidance, dunning, etc.). There are no instructions to read unrelated system files, exfiltrate data, call external endpoints outside normal payment providers, or perform actions beyond implementation guidance.
Install Mechanism
There is no install spec and no code to write to disk. As an instruction-only skill, it introduces minimal execution risk.
Credentials
The skill declares no required environment variables or credentials (reasonable for a documentation-only guide). In real implementations you will need provider API keys/webhook secrets; those are not asked for by this skill and should be scoped and stored securely when you implement the recommendations.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request autonomous permanent presence or modify other skills/config; no privilege escalation indicators present.
Assessment
This skill is a documentation bundle (no code) and appears coherent for its stated purpose. Before using it in a real project: (1) implement provider API keys and webhook secrets with least privilege and store them outside chat/skill configs; (2) never copy raw card data into logs or chat; (3) ensure any future code that implements these instructions validates webhook signatures, uses idempotency, and runs in test mode before production; (4) if you let an agent invoke payment-related actions autonomously, restrict what secrets it can access and review audit logs—autonomous invocation is allowed by default and increases blast radius if credentials are leaked.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Situation Detection
| Context | Load |
|---|---|
| Choosing Stripe vs Paddle vs LemonSqueezy | providers.md |
| Implementing checkout, webhooks, refunds | integration.md |
| Subscription billing, trials, upgrades | subscriptions.md |
| PCI compliance, fraud prevention | security.md |
Universal Rules
Never store card data. Use provider-hosted checkout or tokenization. PCI compliance burden explodes the moment raw card numbers touch your server.
Webhooks are truth. Client-side success callbacks lie. A payment succeeded only when your webhook confirms it. Design for webhook-first verification.
Test mode exists for a reason. Use test cards, simulate failures, verify webhook handling. Production surprises cost real money and real customers.
Pricing psychology: $9.99/mo feels cheaper than $120/year, but annual retention is 2-3x higher. Default to annual with monthly option, not the reverse.
Provider Quick Compare
| Need | Recommendation |
|---|---|
| US/global B2C | Stripe (best docs, widest coverage) |
| SaaS selling to EU (VAT headache) | Paddle, LemonSqueezy (merchant of record) |
| Simple product, no dev resources | Gumroad, Lemonsqueezy hosted |
| Marketplace with splits | Stripe Connect |
| High-risk or adult | Specialized processors (CCBill, Epoch) |
See providers.md for detailed comparison.
Integration Checklist
Before going live:
- Webhook endpoint secured and verified
- Idempotency keys on all charges
- Failure states handled (declined, expired, insufficient)
- Receipts and invoices configured
- Refund flow tested
- Subscription lifecycle events handled (upgrade, downgrade, cancel)
- Currency handling explicit (store in cents/smallest unit)
Red Flags
- Storing CVV anywhere, ever → Instant PCI violation
- Trusting client-side payment confirmation → Fraud vector
- No retry logic for failed webhooks → Lost transactions
- Hardcoding prices in frontend → Easy manipulation
- Missing
cancel_at_period_endhandling → Angry customers
When to Load More
| Situation | Reference |
|---|---|
| Evaluating payment processors | providers.md |
| Building checkout, handling webhooks | integration.md |
| Recurring billing, metering, trials | subscriptions.md |
| Fraud, PCI, chargebacks | security.md |
Files
5 totalSelect a file
Select a file to preview.
Comments
Loading comments…