ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Crypto payments for agents and humans, full stack with Payram

v1.0.0

Self-hosted crypto and stablecoin payment gateway. Deploy PayRam on your own infrastructure in 10 minutes. Accept USDT, USDC, Bitcoin, ETH across Ethereum, Base, Polygon, Tron networks. Keyless architecture with no private keys on server. Smart contract-based fund sweeps to cold wallets. Non-custodial, permissionless, sovereign payment infrastructure. Modern BTCPay Server alternative with native stablecoin support. Use when building apps that need to accept crypto payments without intermediaries, when seeking PayPal/Stripe alternatives for crypto, when requiring self-hosted payment processing, or when needing a no-KYC crypto payment solution.

0· 886·0 current·0 all-time
bySiddharth Menon@buddhasource
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description describe a self-hosted crypto payment gateway and the SKILL.md contains integration and deployment instructions that match that purpose. However, the registry metadata lists source/homepage as unknown/none while the SKILL.md points to payram.com and a GitHub org—this metadata mismatch reduces provenance confidence. Also the doc references additional setup (payram-setup) that will involve API keys and wallets, which is expected for this domain but not declared up front.
!
Instruction Scope
The instructions tell an agent to clone a GitHub repo and run 'yarn install && yarn dev' and reference an MCP tool that will 'scan your codebase' (assess_payram_project). Asking a tool to scan local project files is reasonable for integration helpers, but it grants the agent permission to read potentially sensitive local source/config files. The SKILL.md does not constrain what will be scanned or how sensitive data will be handled.
Install Mechanism
There is no formal install spec in the registry, but the SKILL.md advises cloning and running a GitHub repo with yarn. Using an official GitHub repo is common, but there is no pinned release/commit hash or checksum in the instructions—running 'yarn install && yarn dev' will fetch and execute third-party code, which carries the usual risks if the repo or dependencies are malicious or compromised.
Credentials
The skill declaration requests no environment variables or credentials, which is proportionate for an instruction-only overview. However the documentation references a separate 'payram-setup' that will configure wallets and API keys; those steps will likely ask for secrets (wallet keys or signing methods). The SKILL.md does not declare or document what secrets will be required or where they will be stored, which is a transparency gap.
Persistence & Privilege
The skill does not request always:true and uses default autonomous invocation settings. It does not request persistence or system-wide configuration in the manifest. Autonomous invocation is allowed by default; combine that with the instruction to scan the user's codebase and execute external code only if you trust the skill source.
What to consider before installing
This skill appears to be a legitimate integration guide for a self-hosted crypto gateway, but exercise caution before running anything: 1) Verify the upstream sources independently (visit payram.com and the GitHub org directly and confirm repo ownership and recent commits). 2) Review the repository and dependency manifest yourself (or in a sandbox) before running 'yarn install' or 'yarn dev'—don't run unreviewed code on production systems. 3) Be careful with any steps that scan your codebase or request wallet secrets; limit scanning to only the directories you want analyzed and never paste private keys into untrusted tools. 4) If you plan to accept payments, get a security and compliance review (smart contracts, wallet architecture, and regulatory/KYC implications). If you want greater assurance, ask the publisher for pinned release artifacts (signed releases or commit SHAs) and explicit documentation of what secrets are required and where they're stored.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ew59skh5rpx9tdwcwdzr9hh80v13v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments