ClawHub

Billing

v1.0.0

Build payment integrations, subscription management, and invoicing systems with webhook handling, tax compliance, and revenue recognition.

2· 671·1 current·1 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description align with the files: Stripe integration, webhooks, subscriptions, tax, invoicing, revenue recognition, marketplace and usage billing are all present. The requested capabilities (payment handling, tax, disputes) are coherent with the content.
!
Instruction Scope
SKILL.md and the companion files include concrete runtime patterns that require secrets (e.g., process.env.STRIPE_WEBHOOK_SECRET, process.env.PADDLE_WEBHOOK_SECRET), a database (db.* calls), and external network calls (VIES API). The skill does not declare these env vars or config paths; the instructions therefore assume access to sensitive runtime state that is not described or scoped by the registry metadata.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to execute. That reduces surface area: nothing is downloaded or written by a package installer.
!
Credentials
The docs demonstrate the need for Stripe API usage, webhook secrets, and database connections but the skill declares no required environment variables or config paths. It also references collection/storage of highly sensitive fields (SSN or ssn_last_4 noted in marketplace onboarding), which is plausible for KYC but should be explicitly declared and justified. The absence of declared credentials is a proportionality/visibility issue.
Persistence & Privilege
always: false and no install script means the skill does not request permanent platform privileges. The skill can be invoked autonomously (platform default), which increases practical impact if it is given access to credentials; combine that with the environment concerns above before enabling autonomous invocation.
What to consider before installing
This skill appears to be a legitimate, detailed billing playbook, but it assumes access to secrets and system resources that aren't declared. Before installing or enabling it: 1) Ask the publisher which environment variables and config paths the skill expects (Stripe API key, STRIPE_WEBHOOK_SECRET, PADDLE_WEBHOOK_SECRET, DB connection URL, etc.). 2) Never provide full card PAN/CVV; use PSP tokens and test (sandbox) keys when validating. 3) If KYC/SSN collection will occur, confirm legal requirements and minimize storage (store only what is necessary and encrypted). 4) Prefer giving the agent short-lived, scoped credentials (test keys, read-only where possible) and rotate them. 5) Require the skill to declare required env vars and any external endpoints it will contact; do not enable autonomous invocation until you understand and limit what secrets it can access. If the publisher cannot provide a clear list of required credentials and the intended data flows, treat the skill as unsafe to enable in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk97156f2y9wd71vdq78189gaes81akkr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💳 Clawdis
OSLinux · macOS · Windows

Comments