Back to skill
Skillv1.0.0
ClawScan security
razorpay monitor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewFeb 27, 2026, 7:27 PM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's Razorpay API usage is coherent, but it claims to send WhatsApp/Telegram alerts and shows cron lines / a 'razorpay-monitor' CLI without providing any install, transport credentials, or details for those integrations — that mismatch warrants caution.
- Guidance
- Do not install or hand over live Razorpay keys until these gaps are clarified. Ask the author for: (1) explicit instructions / code for how alerts are delivered (Telegram bot token, WhatsApp provider details, or webhook endpoints), (2) an install/run method (what 'razorpay-monitor' is and how it's installed or executed), and (3) where and how historical data is stored and protected. Use test keys first, create a limited-permission API key if possible, rotate keys after testing, and prefer hosting the monitor in an isolated environment (container or dedicated host). If the author cannot supply concrete install code and messaging integration details, treat the skill as incomplete and avoid providing production credentials.
Review Dimensions
- Purpose & Capability
- concernThe declared purpose (monitor Razorpay payments and send WhatsApp/Telegram alerts) matches the Razorpay API usage and required Razorpay creds, but the skill provides no mechanism, credentials, or instructions for delivering messages over WhatsApp or Telegram. It also suggests cron lines that invoke a 'razorpay-monitor' binary/command despite being an instruction-only skill with no install or executable; this is incoherent.
- Instruction Scope
- concernSKILL.md stays within the Razorpay API surface (payments, refunds, settlements, disputes) and references only declared env vars for authentication. However, it leaves open how notifications are transmitted (no webhook/SMTP/WhatsApp/Telegram tokens or endpoints), and it mentions keeping and using 'memory' for week-over-week comparisons without specifying where that data is stored or how it's protected.
- Install Mechanism
- noteThere is no install spec (instruction-only), which is low-risk, but the provided cron examples call an external command ('razorpay-monitor') that doesn't exist in this package. That mismatch could confuse deployers or hide missing implementation steps.
- Credentials
- concernThe only required env vars are RAZORPAY_KEY_ID and RAZORPAY_KEY_SECRET, which are appropriate for Razorpay access. But the skill claims to send WhatsApp/Telegram alerts yet does not request any messaging credentials (e.g., Telegram bot token, WhatsApp API config), which is inconsistent and could mean the skill expects to use other unspecified messaging channels or shared credentials.
- Persistence & Privilege
- noteThe skill does not request always:true or any system config paths, and autonomous invocation is default. It mentions retaining last week's data for comparisons but doesn't specify storage location or retention policy — this is ambiguous but not a direct privilege escalation.