Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Crypto Payments Ecommerce
v1.0.2Accept crypto and stablecoin payments for e-commerce stores with self-hosted PayRam. Use when building "crypto e-commerce", "Shopify crypto integration", "ac...
⭐ 0· 762·1 current·1 all-time
bySiddharth Menon@buddhasource
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description and the SKILL.md text align: this is a how-to for self-hosted crypto payments (PayRam). However there is an inconsistency in metadata presentation (registry shows no homepage while SKILL.md metadata references https://payram.com). The marketing claim of “no signup, no KYC” is part of the product pitch but is a legal/compliance claim rather than a technical requirement.
Instruction Scope
The SKILL.md describes architecture and operational steps that require managing private keys, wallet sweeping, blockchain RPC endpoints, and integrating on‑ramp services. As an instruction-only skill it does not declare or constrain how those secrets/credentials are handled. That scope increases the risk that an agent or user might be instructed to paste private keys or other sensitive data into the chat or to perform unsafe operations. The document also references third‑party on‑ramps (MoonPay, Ramp, Transak) — expected — but the guide does not appear to include safe-guarding steps for secrets or explicit admonitions against sharing keys with the agent.
Install Mechanism
No install spec and no code files — the skill is instruction-only. This reduces the immediate risk from arbitrary code download or execution since nothing is installed by the skill itself.
Credentials
The skill declares no required environment variables or credentials, yet its instructions necessarily require secrets in real deployments (wallet private keys/seed phrases, RPC provider credentials, API keys for on‑ramps or custodial services). The absence of any declared env vars or guidance for secure secret handling is a mismatch that could lead users to inadvertently expose sensitive credentials.
Persistence & Privilege
always:false and default invocation settings — no elevated or persistent privileges are requested. There is no indication the skill attempts to modify other skills or system-level agent configuration.
What to consider before installing
This skill is a how-to guide for running your own crypto payment processing and is plausible for that purpose, but exercise caution. Self-hosting payments requires private keys/seed phrases, RPC provider credentials, and sometimes API keys for on‑ramps — do not paste those secrets into the chat or give the agent access to them. Verify the authenticity of 'PayRam' (check the project site, code repository, and third‑party audits), prefer audited open-source implementations, keep keys in a hardware wallet or secure vault, test on testnets first, and consult legal/compliance counsel (KYC/AML) for your jurisdiction. If you plan to follow the guide, only run code you’ve reviewed locally and never share private keys or production credentials with the agent.Like a lobster shell, security has layers — review code before you run it.
latestvk97cz3s9jbe7av0035addp7y7s81ayj1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.