ClawHub

razorpay monitor

v1.0.0

Autonomous Razorpay payment monitoring for Indian merchants. Tracks daily settlements, detects failed payments, sends WhatsApp/Telegram alerts for anomalies,...

0· 268·0 current·0 all-time
by@utsavs
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The declared purpose (monitor Razorpay payments and send WhatsApp/Telegram alerts) matches the Razorpay API usage and required Razorpay creds, but the skill provides no mechanism, credentials, or instructions for delivering messages over WhatsApp or Telegram. It also suggests cron lines that invoke a 'razorpay-monitor' binary/command despite being an instruction-only skill with no install or executable; this is incoherent.
!
Instruction Scope
SKILL.md stays within the Razorpay API surface (payments, refunds, settlements, disputes) and references only declared env vars for authentication. However, it leaves open how notifications are transmitted (no webhook/SMTP/WhatsApp/Telegram tokens or endpoints), and it mentions keeping and using 'memory' for week-over-week comparisons without specifying where that data is stored or how it's protected.
Install Mechanism
There is no install spec (instruction-only), which is low-risk, but the provided cron examples call an external command ('razorpay-monitor') that doesn't exist in this package. That mismatch could confuse deployers or hide missing implementation steps.
!
Credentials
The only required env vars are RAZORPAY_KEY_ID and RAZORPAY_KEY_SECRET, which are appropriate for Razorpay access. But the skill claims to send WhatsApp/Telegram alerts yet does not request any messaging credentials (e.g., Telegram bot token, WhatsApp API config), which is inconsistent and could mean the skill expects to use other unspecified messaging channels or shared credentials.
Persistence & Privilege
The skill does not request always:true or any system config paths, and autonomous invocation is default. It mentions retaining last week's data for comparisons but doesn't specify storage location or retention policy — this is ambiguous but not a direct privilege escalation.
What to consider before installing
Do not install or hand over live Razorpay keys until these gaps are clarified. Ask the author for: (1) explicit instructions / code for how alerts are delivered (Telegram bot token, WhatsApp provider details, or webhook endpoints), (2) an install/run method (what 'razorpay-monitor' is and how it's installed or executed), and (3) where and how historical data is stored and protected. Use test keys first, create a limited-permission API key if possible, rotate keys after testing, and prefer hosting the monitor in an isolated environment (container or dedicated host). If the author cannot supply concrete install code and messaging integration details, treat the skill as incomplete and avoid providing production credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk977adxcnck4q63yzjfw95k9b181z5sbrazorpayvk977adxcnck4q63yzjfw95k9b181z5sb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💳 Clawdis
EnvRAZORPAY_KEY_ID, RAZORPAY_KEY_SECRET
Primary envRAZORPAY_KEY_ID

Comments