Whop Digital Sales
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill is clearly aimed at Whop sales automation, but it can use a company API key to create public products, paid plans, and checkout links without clear approval or rollback safeguards.
Review and edit the Python script before running it. It will create public Whop products, paid plans, and checkout links using your company API key. Use a least-privileged key if Whop supports one, confirm all names/prices/descriptions first, and avoid running the missing referenced script unless you can inspect it.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill can change the user's Whop business account by publishing products and checkout links, including paid offers.
The script performs live POST requests that create products, pricing plans, and checkout links on the user's Whop account.
resp = requests.post(f"{BASE_URL}/products", headers=HEADERS, json=payload, timeout=15) ... plan_resp = requests.post(f"{BASE_URL}/v2/plans" ... checkout_resp = requests.post(f"{BASE_URL}/checkouts"Only run it after reviewing and editing the product names, descriptions, and prices; ideally add a dry-run and explicit confirmation before any POST request.
A user could unintentionally publish hard-coded sales offerings on their Whop storefront.
The script sets created products and plans to public visibility, so the account changes are not merely private drafts.
"visibility": "public"
Default new products to private/draft when possible, or clearly require user approval before publishing anything public.
The API key may allow account-level actions beyond simply generating checkout links, depending on Whop's permissions.
The skill requires a sensitive Whop company API key to act on the user's account, which is expected for the integration but should be scoped carefully.
Auth: `Authorization: Bearer {WHOP_API_KEY}` ... Create a Company API key ... Save as secret `WHOP_API_KEY`Use the least-privileged Whop API key available, rotate it if exposed, and remove it when no longer needed.
Users may not see the credential requirement clearly from the registry metadata before reviewing the skill text.
The registry metadata does not declare the WHOP_API_KEY credential even though the skill documentation and code require it.
Required env vars: none ... Primary credential: none
Declare WHOP_API_KEY as a required sensitive credential in metadata.
The documented workflow is incomplete, and users cannot review the referenced checkout-link script in the supplied artifacts.
The instructions reference scripts/generate_checkout_links.py, but the provided manifest only includes scripts/create_whop_products.py.
python scripts/create_whop_products.py python scripts/generate_checkout_links.py
Include the referenced script or remove the command from the documentation.
If extended or used manually, the skill could expose payment-related data in the agent conversation or logs.
The skill documents access to payment records, which can include sensitive business or customer information, although the included script does not call this endpoint.
- `GET /payments` — List payments
Only request payment data when needed, avoid pasting unnecessary customer/payment details into chats, and clarify what payment fields are accessed.