ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Creem Store Agent

v1.0.0

AI-powered Creem store monitor — alerts, churn analysis, autonomous actions via Telegram

0· 105·0 current·0 all-time
byDmitrii Malakhov@malakhov-dmitrii

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for malakhov-dmitrii/creem-store-agent.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Creem Store Agent" (malakhov-dmitrii/creem-store-agent) from ClawHub.
Skill page: https://clawhub.ai/malakhov-dmitrii/creem-store-agent
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: CREEM_API_KEY, CREEM_WEBHOOK_SECRET, TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, ANTHROPIC_API_KEY
Required binaries: node
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install creem-store-agent

ClawHub CLI

Package manager switcher

npx clawhub@latest install creem-store-agent
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description align with required binaries and environment variables. CREEM_API_KEY, CREEM_WEBHOOK_SECRET, TELEGRAM_BOT_TOKEN/CHAT_ID, and ANTHROPIC_API_KEY are all plausibly required for: verifying webhooks, calling Creem SDK, sending Telegram messages, and calling Anthropic. The code imports/uses the listed SDKs (creem, @anthropic-ai/sdk, node-telegram-bot-api) and implements the features described (webhook handler, LLM analyzer, action executor).
Instruction Scope
SKILL.md and code instruct the agent to register an HTTP webhook route, verify HMAC signatures, fetch context from Creem, call Anthropic for analysis, and send Telegram messages; these are within the stated scope. Important behavioral detail: the skill can autonomously auto-execute billing-impacting actions (create discounts, pause subscriptions) when the LLM confidence >= 80%. This is a deliberate capability but has real financial impact and should be considered by operators. Demo code also reads a local .env for convenience (development only).
Install Mechanism
There is no installer that downloads arbitrary code at runtime — the repository is instruction-and-code based and relies on normal npm packages declared in package.json (creem, @anthropic-ai/sdk, node-telegram-bot-api). No suspicious download URLs or extract steps are present in the provided metadata.
Credentials
Requested environment variables (CREEM_API_KEY, CREEM_WEBHOOK_SECRET, TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, ANTHROPIC_API_KEY) are directly required by the functionality. No unrelated credentials (cloud provider keys, DB passwords, etc.) are requested. CREEM_API_KEY is defined as primaryEnv which matches the skill's ability to act on subscriptions/discounts.
Persistence & Privilege
The skill registers an HTTP route (ctx.api.registerHttpRoute) and runs code that can autonomously call Creem APIs to modify subscriptions or create discounts. It does not request 'always: true' and uses in-memory pending state (no persistent system-wide config changes). The combination of autonomous invocation with write-capable Creem credentials is intended but increases blast radius — operators should be aware and control the auto-execute threshold and credentials provided.
Assessment
This skill appears to do exactly what it claims: receive and verify Creem webhooks, analyze churn with Anthropic/Claude, notify via Telegram, and optionally call Creem to create discounts or pause subscriptions. Before installing or enabling it for production, consider the following: - Financial impact: the agent can auto-execute retention actions (create discounts or pause subscriptions) when LLM confidence ≥ 80%. If you don't want automatic changes, keep it in manual-approval mode or lower privileges on the Creem API key. - Test in sandbox: run the demo with test Creem credentials and a test Telegram chat to confirm behavior and button flows before connecting to a live store. - Least privilege: create a Creem API key scoped as narrowly as possible (if Creem supports scoped keys) and rotate it regularly. Limit the Telegram bot's chat permissions and keep TELEGRAM_CHAT_ID restricted to authorized operators. - Monitor and logs: ensure you have visibility (logs/alerts) for every auto-executed action so you can audit and revert if needed. - Review dependencies and run tests: the repo includes tests and uses common npm packages; run npm audit and the included test suite locally if you want extra confidence. If you want to be extra cautious, omit ANTHROPIC_API_KEY (fallback rule-based behavior is present) or disable autonomous execution in configuration before connecting to a production Creem key.
demo/demo-script.ts:14
Environment variable access combined with network send.
!
demo/demo-script.ts:1
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🍦 Clawdis
Binsnode
EnvCREEM_API_KEY, CREEM_WEBHOOK_SECRET, TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, ANTHROPIC_API_KEY
Primary envCREEM_API_KEY
latestvk97d20bkz6xsvvzq7s12yq647d83ny6q
105downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
Dmitrii Malakhov@malakhov-dmitrii
latest
Download

Creem Store Agent

AI-powered monitoring for your Creem store. Sends real-time Telegram alerts for sales, subscriptions, disputes, and refunds. Uses Claude AI to analyze churn events and autonomously recommend retention actions.

Commands

  • /creem-status — Check store connection and webhook status
  • /creem-report — Daily revenue summary (MRR, churn, new sales)

Features

  • Real-time alerts: Formatted Telegram notifications for all Creem events
  • AI churn analysis: Claude Haiku analyzes cancellations and recommends retention actions
  • Autonomous actions: Create retention discounts or pause subscriptions via inline buttons
  • Event deduplication: Handles Creem webhook retries gracefully
  • HMAC verification: Validates webhook signatures for security

Setup

  1. Install: clawhub install creem-store-agent
  2. Set environment variables (see .env.example)
  3. Expose webhook URL: ngrok http 3000 (development)
  4. Register webhook in Creem dashboard: https://your-ngrok-url.ngrok.io/webhook/creem

Environment Variables

VariableDescription
CREEM_API_KEYCreem API key (test: creem_test_xxx)
CREEM_WEBHOOK_SECRETWebhook signing secret from Creem dashboard
TELEGRAM_BOT_TOKENTelegram bot token from @BotFather
TELEGRAM_CHAT_IDTelegram chat ID for notifications
ANTHROPIC_API_KEYAnthropic API key for Claude Haiku

Comments

Loading comments...