RedotPay Wallet
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user confirms, the agent may make a paid RedotPay request on the user's behalf.
The skill exposes a CLI request command that can incur charges, but it also requires inspection, quoting, explicit confirmation, and a spend cap before use.
`redotpay request [flags] <endpoint_url>` ... `Any paid redotpay request must: State amount, currency, and purpose; Obtain explicit user confirmation before executing`
Before confirming, check the service name, endpoint, parameters, exact price, currency, and `--max-spend` limit.
The agent may rely on an authenticated RedotPay wallet session to make authorized requests after confirmation.
The skill requires authenticating a RedotPay wallet session and acknowledges sensitive token/config handling. This is expected for the integration but high-impact.
`redotpay wallet login` ... `Never expose OAuth tokens, keys, or wallet config in chat`
Only log in through a trusted RedotPay CLI/app flow, avoid sharing wallet configuration or tokens, and use `redotpay wallet logout` when done if desired.
Installing the CLI requires trusting an external GitHub-hosted script that this review did not inspect.
The first-time setup reference downloads and executes an external installer; the installer and checksum file are not included in the provided artifact set.
`curl -fsSL "https://raw.githubusercontent.com/redotpay/redotpay-cli/v0.1.0/install.sh" -o redotpay-install.sh` ... `bash redotpay-install.sh`
Install RedotPay CLI only from a trusted official source, inspect or verify the installer and checksum, and avoid running it with elevated privileges unless necessary.
A user could overlook that data or service requests may still cost money.
The no-purchase wording could be misunderstood as meaning no charges, while the skill later allows paid API requests with confirmation.
`Find, search, and request only — no purchase/buy flows.` ... `Any paid redotpay request must...`
Treat any `redotpay request` as potentially billable and require a clear cost quote before approving.