RedotPay Payment Skill for MPP
PassAudited by VirusTotal on May 7, 2026.
Overview
Type: OpenClaw Skill Name: redotpay-payment Version: 0.1.7 The redotpay-payment skill facilitates service discovery and financial transactions via a CLI tool, but contains several high-risk patterns. Specifically, SKILL.md instructs the agent to construct shell commands using unvalidated user input (e.g., `redotpay wallet services list --search "<keywords>"`), which creates a shell injection vulnerability. Additionally, the installation reference uses a risky `curl | bash` pattern from an external GitHub URL (raw.githubusercontent.com/redotpay/redotpay-cli/v0.1.1/install.sh) and performs filesystem modifications via `ln -sf`. While the skill includes safety instructions regarding user consent and spend caps, these architectural vulnerabilities and high-privilege operations are risky.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user confirms a paid request, the agent may spend wallet funds to call a RedotPay service.
The skill can invoke a paid request tool against service endpoints. The instructions mitigate this by requiring inspection, cost disclosure, explicit confirmation, and spend caps, so this is purpose-aligned but important for users to notice.
Then call the service: `redotpay request [flags] <endpoint_url>` ... Only execute after Step 3 confirmation.
Only confirm after checking the endpoint, exact USD cost, original currency amount, expected output, and `--max-spend` limit.
The skill may rely on a logged-in RedotPay wallet/account to authorize paid API requests.
The workflow uses RedotPay wallet/account login before paid calls. This is expected for the payment purpose, but it gives the CLI access to a sensitive account context.
First, check login status: `redotpay wallet whoami` ... Not logged in → run login flow
Log in only through a trusted RedotPay CLI installation, review account/wallet permissions, and log out when no longer needed.
Installing or using the wrong CLI binary could affect payments or account security.
The registry does not provide provenance or installation details for a skill that depends on an external RedotPay CLI, so users need to verify the CLI source independently.
Source: unknown; Homepage: none ... No install spec — this is an instruction-only skill.
Install `redotpay` only from an official source and verify the binary path/version before using wallet login or paid requests.