Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
The Agent Payment Rails Playbook
v1.3.1The Agent Payment Rails Playbook. Ship multi-protocol agentic payments (x402, ACP, AP2, UCP, MPP) with spending controls, KYA compliance, and escrow protecti...
⭐ 0· 127·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
The skill is a payments playbook referencing a GreenHelix gateway and Stripe; requesting GREENHELIX_API_KEY, STRIPE_API_KEY, and an AGENT_SIGNING_KEY is consistent with building and running the integrations the guide describes. Minor inconsistency: the guide text says the GreenHelix sandbox requires no API key to get started, while the metadata declares GREENHELIX_API_KEY as required.
Instruction Scope
SKILL.md contains working Python examples intended to run against the GreenHelix API and Stripe and states examples have been 'tested against the live gateway.' That is expected for a playbook but creates financial risk if users run examples with production keys. The guide does not appear to direct reading unrelated system files or exfiltrating data to unexpected endpoints, but it does presume access to sensitive keys and to the gateway/Stripe endpoints.
Install Mechanism
Instruction-only skill with no install spec and no code files. Nothing will be written to disk by the skill itself — low install risk.
Credentials
Three environment variables are requested and each maps to a plausible capability: gateway access (GREENHELIX_API_KEY), agent identity/signing (AGENT_SIGNING_KEY), and card payments (STRIPE_API_KEY). These are sensitive credentials. The guide claims STRIPE_API_KEY is 'scoped to payment intents only'—you should ensure minimal scopes and use test keys. The requirement to supply AGENT_SIGNING_KEY is reasonable for KYA flows but is sensitive: do not supply high-privilege or production signing keys to untrusted agents.
Persistence & Privilege
always is false and the skill does not request system-wide config changes. The skill is user-invocable and model-invocation is enabled (the platform default); combined with payment credentials this means an agent with these credentials could initiate transactions if you let it run code — this is normal for integration tasks but worth guarding with test keys and restricted scopes.
Assessment
This is an instructional playbook and the requested environment variables align with its purpose, but those variables are sensitive and could be used to make real payments. Before installing or running examples: (1) use sandbox/test keys only; (2) create minimally-scoped API keys in Stripe/GreenHelix (payment-intent-only, sandbox mode) and avoid production keys; (3) keep the AGENT_SIGNING_KEY offline or use a test signing key and protect it with hardware or a secrets manager if possible; (4) review every code example before executing and run them first in the GreenHelix sandbox; (5) consider disabling autonomous invocation for agents that hold live payment keys or restrict agent permissions; (6) rotate keys after testing and enable audit/logging on payment accounts.Like a lobster shell, security has layers — review code before you run it.
acpvk97accfzj7fra7t974gv8mb13584x4nvai-agentvk97accfzj7fra7t974gv8mb13584x4nvescrowvk97accfzj7fra7t974gv8mb13584x4nvgreenhelixvk97accfzj7fra7t974gv8mb13584x4nvguidevk97accfzj7fra7t974gv8mb13584x4nvkyavk97accfzj7fra7t974gv8mb13584x4nvlatestvk97accfzj7fra7t974gv8mb13584x4nvopenclawvk97accfzj7fra7t974gv8mb13584x4nvpaymentsvk97accfzj7fra7t974gv8mb13584x4nvspending-controlsvk97accfzj7fra7t974gv8mb13584x4nvx402vk97accfzj7fra7t974gv8mb13584x4nv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvGREENHELIX_API_KEY, AGENT_SIGNING_KEY, STRIPE_API_KEY
Primary envGREENHELIX_API_KEY