ClawHub

Payment Link Reader

v1.0.0

Fetch product info by payment link ID. Calls GStable API to get payment link details, returns product name, description, price, and supported payment tokens....

0· 91·0 current·0 all-time
by@tankscar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and SKILL.md. The script calls the documented GStable endpoint and returns product/payment-token info. Required binary (node) is appropriate.
Instruction Scope
Runtime instructions are narrowly scoped: run npm install then execute the TypeScript script with a link_id or URL. The script only reads its CLI args and one optional env var (GSTABLE_API_BASE_URL) and performs a single HTTP GET to the API base URL.
Install Mechanism
No download-from-arbitrary-URL installs; install is via npm (package.json + devDependencies). The skill is instruction-first and includes source files. The shebang uses 'npx tsx' but package.json provides 'tsx' as a devDependency — running 'npm install' prevents npx from pulling packages at runtime.
Credentials
No required credentials or sensitive environment variables. Only an optional GSTABLE_API_BASE_URL is declared and used. No access to unrelated env vars or config paths.
Persistence & Privilege
Skill does not request persistent privileges (always is false). It does not modify other skills or system configuration.
Assessment
This skill appears internally consistent and limited to calling GStable's public API. Before installing: 1) Run npm install in the skill directory to ensure 'tsx' is local (so npx won't fetch packages at runtime). 2) Be aware the script issues network requests to https://aipay.gstable.io (or any GSTABLE_API_BASE_URL you set) — if you have privacy or network restrictions, review that endpoint. 3) If you need higher assurance, inspect the shipped script (scripts/getPaymentLink.ts) yourself — it only parses the link_id and issues a GET request and prints JSON.
scripts/getPaymentLink.ts:16
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dryj83v1w8mvfsmb23wxqcn8350kq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔗 Clawdis
Binsnode

Comments