ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent-to-Agent Payments

v1.1.3

Monetize your AI agent. Charge for API calls, services, or data. Accept payments autonomously — no human needed. Use when agent needs to: 'charge for my serv...

0· 660·2 current·2 all-time
bySiddharth Menon@buddhasource
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly describes a payments integration (PayRam MCP) and shows mcporter CLI commands, but the registry metadata declares no required binaries or credentials. In practice, running these commands requires the mcporter binary and payment wallets/keys; those are not declared. That mismatch is disproportionate to the stated purpose.
Instruction Scope
Runtime instructions ask the agent to run mcporter commands to connect to an external MCP server (https://mcp.payram.com) and to generate onboarding/payment snippets. The instructions stay within the payment domain and do not ask the agent to read unrelated system files, but they are vague about how private keys, wallets, or webhook secrets are provided/managed and about what 'autonomous setup' entails.
Install Mechanism
This is an instruction-only skill with no install spec or code files. That minimizes on-disk install risk. However, the instructions rely on an external CLI (mcporter) and external endpoints — the skill does not supply or declare where to obtain mcporter.
!
Credentials
The skill declares no required environment variables or primary credential, yet a functioning payments integration would normally require wallet private keys, API keys, or webhook secrets. The omission is a meaningful gap: either the skill expects the agent/environment to already have sensitive credentials (not declared), or the SKILL.md is incomplete about credential handling.
Persistence & Privilege
The skill does not request always: true, does not modify other skills, and has no install-time persistence. It instructs connecting to an external MCP endpoint but does not request elevated platform privileges in its metadata.
What to consider before installing
This skill looks like a documentation/usage wrapper for PayRam's MCP that tells an agent to use the mcporter CLI and call an external MCP server. Before installing or using it: (1) verify you have the mcporter CLI from an official source and that the SKILL.md commands match the official docs; (2) do not expose private wallet keys or API secrets to the skill unless you understand how they are stored and used — the skill does not declare required credentials; (3) confirm the external endpoint (https://mcp.payram.com) and PayRam's legal/regulatory posture (no-KYC claims may have implications in your jurisdiction); (4) ask the skill author to declare required binaries and credentials in the metadata or provide an install spec from an official release so you can audit what's being invoked. These clarifications would raise confidence; as-is, the missing binary/credential declarations are the main coherence issue.

Like a lobster shell, security has layers — review code before you run it.

latestvk978vazfrv7xn03ajtmydgjqc9826yw5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments