RedotPay Wallet
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: redotpay Version: 1.0.0 The skill bundle facilitates service discovery and financial transactions via the RedotPay CLI, requiring high-risk capabilities such as arbitrary network requests (`redotpay request`) and shell execution for installation (`curl | bash`). While the SKILL.md includes robust safety protocols—including mandatory user confirmation for costs, spend caps, and explicit warnings against credential leakage—the inherent risks associated with the broad request tool and the installation pattern (fetching a remote script from raw.githubusercontent.com) align with the criteria for a suspicious classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user confirms, the agent may make a paid RedotPay request on the user's behalf.
The skill exposes a CLI request command that can incur charges, but it also requires inspection, quoting, explicit confirmation, and a spend cap before use.
`redotpay request [flags] <endpoint_url>` ... `Any paid redotpay request must: State amount, currency, and purpose; Obtain explicit user confirmation before executing`
Before confirming, check the service name, endpoint, parameters, exact price, currency, and `--max-spend` limit.
The agent may rely on an authenticated RedotPay wallet session to make authorized requests after confirmation.
The skill requires authenticating a RedotPay wallet session and acknowledges sensitive token/config handling. This is expected for the integration but high-impact.
`redotpay wallet login` ... `Never expose OAuth tokens, keys, or wallet config in chat`
Only log in through a trusted RedotPay CLI/app flow, avoid sharing wallet configuration or tokens, and use `redotpay wallet logout` when done if desired.
Installing the CLI requires trusting an external GitHub-hosted script that this review did not inspect.
The first-time setup reference downloads and executes an external installer; the installer and checksum file are not included in the provided artifact set.
`curl -fsSL "https://raw.githubusercontent.com/redotpay/redotpay-cli/v0.1.0/install.sh" -o redotpay-install.sh` ... `bash redotpay-install.sh`
Install RedotPay CLI only from a trusted official source, inspect or verify the installer and checksum, and avoid running it with elevated privileges unless necessary.
A user could overlook that data or service requests may still cost money.
The no-purchase wording could be misunderstood as meaning no charges, while the skill later allows paid API requests with confirmation.
`Find, search, and request only — no purchase/buy flows.` ... `Any paid redotpay request must...`
Treat any `redotpay request` as potentially billable and require a clear cost quote before approving.