ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pop Pay Skill

v0.6.23

Your card stays on your PC — no SaaS, no login, no external account. Credentials inject directly, keeping them out of the AI's context window.

1· 96·0 current·0 all-time
by@tpemist
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (local card injection via a local 'pop-pay' binary) matches the declared required binary and the spend-policy env vars — those are appropriate for a local payment injector. However, the SKILL.md references additional runtime configuration (e.g., POP_LLM_API_KEY for optional LLM guardrails and POP_WEBHOOK_URL for notifications) and a spend-policy file at ~/.config/pop-pay/.env that are not listed in requires.env or required config paths in the registry metadata. The SKILL.md also instructs users to pip install pop-pay from PyPI (an external install step not captured in the skill registry).
!
Instruction Scope
The runtime instructions instruct the agent to call local tools (request_purchaser_info / request_virtual_card) and to pass 'reasoning' and page URLs. Those arguments could contain arbitrary agent context; the skill claims the card never appears in the agent context, but the protocol still exposes purchase metadata to the injector. SKILL.md expects a local keychain, a guardrail engine (keyword or optional LLM), and a local config file — yet the registry metadata omitted the config path and optional envs referenced in the docs. The instructions also direct the user to modify OpenClaw config to run a local MCP server for 'pop-pay', which is normal but increases the attack surface if the binary is untrusted.
!
Install Mechanism
This is an instruction-only skill with no registry install spec, but SKILL.md tells users to pip install pop-pay from PyPI. Relying on an external package from PyPI is a supply-chain risk; the registry should either include a vetted install spec or clearly document provenance and hashes. No code shipped with the skill means the registry cannot guarantee what the 'pop-pay' binary will do once installed.
!
Credentials
The declared required env vars (POP_ALLOWED_CATEGORIES, POP_MAX_AMOUNT_PER_TX, POP_MAX_DAILY_BUDGET, POP_AUTO_INJECT, POP_REQUIRE_HUMAN_APPROVAL, POP_GUARDRAIL_ENGINE) are appropriate for controlling spend policy. However, the SKILL.md references additional env/config items (POP_LLM_API_KEY, POP_WEBHOOK_URL) that are not declared in requires.env. POP_WEBHOOK_URL in particular could forward events to an external endpoint (possible exfiltration vector) if enabled by the user — the registry should have declared it. The skill requests no primary credential (card is in system keychain), which is coherent, but the number and sensitivity of envs plus the undocumented optional endpoints are concerning.
Persistence & Privilege
always:false (default) is appropriate. The skill is allowed to be invoked autonomously (disable-model-invocation:false) which is the platform default, but because this skill can cause real-world charges, autonomous invocation increases risk. Recommend enabling POP_REQUIRE_HUMAN_APPROVAL by default or disabling autonomous invocation for payment actions until the operator reviews the binary and config.
What to consider before installing
Things to check before installing/using this skill: - Do not pip install the package blindly. Inspect the pop-pay PyPI package source (or install from the GitHub repo) and verify the code that reads the keychain and performs CDP injection. Prefer installing in an isolated/testing environment first. - Ask the maintainer or registry to add an explicit install spec and a reproducible provenance (release tarball with checksum, signed release, or direct GitHub release URL). Registry metadata should list optional envs (POP_LLM_API_KEY, POP_WEBHOOK_URL) and the config path (~/.config/pop-pay/.env). - Treat POP_WEBHOOK_URL as dangerous unless you control the receiving endpoint. Keep webhooks disabled unless you explicitly need them. - Prefer POP_GUARDRAIL_ENGINE=keyword and set POP_REQUIRE_HUMAN_APPROVAL=true (manual confirmation) to avoid autonomous charges while you audit behavior. - Audit permissions: ensure the local system keychain access policy and the pop-pay binary’s access to it are acceptable; consider running pop-pay under a limited account. - If you rely on the optional LLM guardrail, keep your API key private and verify how/when it is used; the skill should document where that key is read (it currently does not list it in requires.env). - If uncertain, classify this skill as high-risk until you can review the installed binary/source code; the registry entry and SKILL.md contain inconsistent declarations that should be clarified.

Like a lobster shell, security has layers — review code before you run it.

latestvk979a364q6n46m9tm0d4daje6h846fck

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspop-pay
EnvPOP_ALLOWED_CATEGORIES, POP_MAX_AMOUNT_PER_TX, POP_MAX_DAILY_BUDGET, POP_AUTO_INJECT, POP_REQUIRE_HUMAN_APPROVAL, POP_GUARDRAIL_ENGINE

Comments