RedotPay Wallet
ReviewAudited by ClawScan on May 10, 2026.
Overview
This RedotPay skill includes payment safeguards, but it can use a wallet to make paid requests and points users to a remote installer that is not fully verifiable from the provided artifacts.
Review before installing. Use this skill only if you trust the RedotPay CLI source, can verify the installer independently, and are comfortable authorizing wallet-backed paid requests. Do not proceed if the agent skips cost disclosure, explicit confirmation, or a max-spend cap.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could think the skill only performs free lookups while it can proceed to a paid service or data request after confirmation.
The skill frames itself as excluding purchase/buy flows, but its workflow still permits paid RedotPay requests, so the financial authority could be underestimated.
"Find, search, and request only — no purchase/buy flows." ... "Login is only needed at Step D before making a paid request."
Clarify in the registry and SKILL.md that paid API/service requests can occur, even if commerce purchases are excluded, and keep the explicit cost/currency/purpose confirmation requirement.
If the installer source or script is compromised, it could affect the local environment used for wallet login and paid requests.
The skill directs users to run a remote installer for a wallet/payment CLI, but the referenced checksum file is not included or downloaded in the instructions, so provenance verification is incomplete in the provided artifacts.
curl -fsSL "https://raw.githubusercontent.com/redotpay/redotpay-cli/v0.1.0/install.sh" -o redotpay-install.sh shasum -a 256 -c SHA256SUMS --ignore-missing bash redotpay-install.sh
Install only from a verified official source, inspect the script first, and require a pinned checksum or signed release before running it.
A confirmed request can send parameters to RedotPay services and may incur charges.
The skill exposes a broad request command that can call chargeable services, but it also instructs the agent to inspect pricing, quote cost, obtain explicit confirmation, and set a max-spend cap.
redotpay request [flags] <endpoint_url> ... Any paid `redotpay request` must: State amount, currency, and purpose ... Obtain explicit user confirmation
Only approve requests after checking the service name, endpoint, exact cost, currency, purpose, and max-spend cap.
Authorizing the CLI may create a local authenticated session that can be used for later RedotPay requests.
The workflow requires wallet/account authorization and acknowledges OAuth tokens or wallet config. This is expected for RedotPay paid requests but is sensitive account authority.
redotpay wallet login ... Open the RedotPay app, scan the QR code above to authorize ... Never expose OAuth tokens, keys, or wallet config in chat
Log in only when needed, keep tokens and wallet configuration private, consider a limited-balance account, and use `redotpay wallet logout` when finished.