ClawHub

Saas Billing System

v1.0.0

Comprehensive SaaS billing system with subscriptions, usage-based billing, invoicing, Stripe payments, dunning, proration, and multi-platform integration.

0· 497·1 current·1 all-time
by@sunshine-del-ux
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The description promises a working SaaS billing system (subscriptions, Stripe, invoicing, etc.) but the package contains no code or binaries to implement those features. SKILL.md references a ./billing.sh and Node.js 18+, yet no scripts or install steps are provided. This is incoherent: a real billing skill would include code, a repo/homepage, or an install spec.
!
Instruction Scope
Runtime instructions tell the agent (or user) to execute ./billing.sh commands and to set $STRIPE_KEY. Those scripts and the code they would run are not present, so the instructions cannot be followed as-is. The instructions also reference a sensitive env var (STRIPE_KEY) not declared in the skill metadata.
Install Mechanism
There is no install spec (instruction-only). That minimizes direct disk writes from the skill bundle itself, but it also means the instructions expect external files that are missing. Lack of an installer is consistent with an instruction-only skill but inconsistent with the claimed functionality.
!
Credentials
SKILL.md refers to an environment variable $STRIPE_KEY (sensitive payment credential) and requires Node.js, but requires.env and primary credential fields are empty. Asking for a Stripe key is plausible for a billing tool, but the credential should be declared and justified in metadata; absence is a red flag.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It does not request any config paths or elevated persistence. No direct privilege escalation indicators in the metadata.
What to consider before installing
This package is missing the actual code and fails to declare sensitive credentials it references. Do not provide your Stripe API key or run unverified commands. Before installing or using: (1) ask the author for the repository or homepage and inspect the source (billing.sh and Node code) yourself; (2) confirm required env vars (STRIPE_KEY) are declared and why they are needed; (3) only run the scripts in an isolated/test environment after reviewing their contents; (4) prefer a published project on a trusted registry or a linked Git repo with history and license. The inconsistencies could be sloppy packaging, but they could also mask a malicious or incomplete package — proceed only after obtaining and reviewing the real source code.

Like a lobster shell, security has layers — review code before you run it.

latestvk9770jd0ydzdqgz3n44s05jkzx828mdc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments