ClawHub

PayPal

v1.0.0

Integrate PayPal payments with proper webhook verification, OAuth handling, and security validation for checkout flows and subscriptions.

0· 852·8 current·9 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description and instructions are consistent with a PayPal integration. However, the skill does not declare any required environment variables or primary credential even though the SKILL.md and code patterns repeatedly reference clientId, secret, WEBHOOK_ID, YOUR_MERCHANT_ID, and an access token. That omission is disproportionate and unexplained.
Instruction Scope
The runtime instructions stay within PayPal integration scope (OAuth token management, webhook verification, order capture, subscriptions, dispute handling). They reference DB operations (db.webhooks, db.orders) and external tooling (ngrok) which are reasonable for server integration, but the instructions assume a datastore and secret configuration that the skill metadata does not request.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written to disk by the skill package itself.
!
Credentials
The content requires sensitive values (PayPal client ID and secret, webhook_id, merchant ID, likely DB credentials) but the registry entry lists no required environment variables or primary credential. That mismatch makes it unclear what the operator must provide and where secrets will be used, increasing risk of misconfiguration or accidental leakage.
Persistence & Privilege
The skill is not always-included and does not request persistent system privileges. Autonomous invocation (model can call the skill) is allowed but is platform default and not by itself alarming here.
What to consider before installing
This skill contains detailed, standard PayPal integration guidance, but the package metadata omits the credentials and config it actually needs. Before installing or using it: 1) Ask the publisher for the source code or homepage and a list of required environment variables (client ID, client secret, WEBHOOK_ID, merchant ID, DB connection info). 2) Do not paste secrets into chat — store PayPal credentials in a secure secret store and bind them only to the runtime you control. 3) Verify webhook verification is implemented exactly as shown (verify-webhook-signature) and point webhooks to an authenticated, HTTPS endpoint. 4) Confirm how the skill expects to access your database (what DB, schema, and credentials) and restrict those credentials to minimal privileges. 5) Prefer testing in PayPal sandbox(s) before production. If the publisher updates the registry metadata to explicitly declare the required env vars and credential scope, and provides a trusted source or repo, re-evaluate — that would reduce the concerns.

Like a lobster shell, security has layers — review code before you run it.

latestvk973q9sm7eep3mgnvz1h19b0gx81bgbt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💳 Clawdis
OSLinux · macOS · Windows

Comments