razorpay monitor
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Razorpay monitoring skill, but it uses sensitive payment credentials and scheduled chat alerts, so users should configure keys, recipients, and retention carefully.
This skill appears purpose-aligned for Razorpay payment monitoring. Before installing, use limited or test Razorpay keys where possible, verify exactly where WhatsApp/Telegram alerts will be sent, keep customer details masked, and make sure any cron jobs or stored weekly summaries can be disabled or deleted.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled with live Razorpay keys, the agent can access payment, refund, settlement, order, and dispute information for the merchant account.
The skill requires Razorpay account API credentials to access payment and settlement data. This is disclosed and aligned with the monitoring purpose, but those credentials are sensitive.
Use HTTP Basic Auth with the Razorpay API: - **Key ID**: from env `RAZORPAY_KEY_ID` - **Key Secret**: from env `RAZORPAY_KEY_SECRET`
Use the least-privileged Razorpay credentials available, prefer test keys while evaluating, store secrets only in the approved OpenClaw configuration, and rotate keys if exposure is suspected.
Financial summaries or masked customer/payment details could be sent to a messaging channel if that integration is configured incorrectly.
The skill intends to send payment and revenue information through external messaging channels. This is disclosed and purpose-aligned, but the artifact does not define recipients, chat IDs, messaging credentials, or delivery boundaries.
sends WhatsApp/Telegram alerts for anomalies, and delivers weekly revenue summaries
Before enabling alerts, explicitly configure and verify the intended WhatsApp or Telegram recipient, minimize included customer details, and avoid sending full secrets or unmasked payment/customer data.
Recurring jobs could continue to access Razorpay data and send notifications until disabled.
The skill documents scheduled recurring operation. This is expected for a monitoring assistant and is not hidden, but it means the skill may continue making API calls and sending alerts after setup.
Daily Morning Report (runs at 8:00 AM IST via cron) ... Poll for anomalies every 30 minutes during business hours
Only add the cron entries if you want continuous monitoring, document where they are installed, and remove or disable them when the monitoring is no longer needed.
Past revenue summaries could remain available to the agent for later tasks if persistent memory is enabled.
The skill may reuse stored prior-week revenue data for comparisons. This is useful for the stated purpose, but it implies some financial summary data may persist across runs.
Total revenue (week-over-week comparison if memory has last week's data)
Limit stored summaries to the minimum needed, avoid retaining customer-level details, and clear memory or disable retention if the data should not persist.