ClawHub

Payment Integration Guide

v0.1.0

Senior payment integration engineer that helps developers integrate 8 major payment providers (Stripe, PayPal, Alipay, WeChat Pay, Apple Pay, Google Pay, Raz...

0· 273·2 current·2 all-time
by@xiaoxty
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (payment integration help for eight providers) matches the SKILL.md and providers.md content. The skill requests no binaries, env vars, or config paths — appropriate for a documentation/assistant skill that only provides code samples and guidance.
Instruction Scope
SKILL.md contains behavior rules and points the agent at the bundled providers.md for concrete code samples and webhook patterns. The instructions ask for working examples and security cautions but do not instruct the agent to read system files, access unrelated environment variables, post to hidden endpoints, or exfiltrate data. Code samples reference typical environment variable names (e.g., STRIPE_SECRET_KEY) as examples — this is expected in sample code and not an instruction to fetch secrets from the host.
Install Mechanism
No install spec and no code files that would be written or executed on install. Being instruction-only is the lowest-risk install model and is proportionate for a documentation skill.
Credentials
The skill declares no required environment variables or credentials. The included examples reference common payment-related env var names for demonstration, which is appropriate; there is no unexplained request for unrelated secrets or cross-service credentials.
Persistence & Privilege
always:false and normal autonomous invocation are set. The skill does not request persistent system-wide privileges or claim it will modify other skills or agent configuration.
Assessment
This skill is an instruction-only payment integration reference and appears internally consistent. It's safe from an install/permission perspective because it doesn't download code or ask for credentials. Practical notes before use: (1) Do not paste real API keys, private keys, or merchant credentials into chat when interacting with the assistant — treat examples (process.env.*) as placeholders. (2) Verify any sample code against the providers' official docs and your required API version before deploying. (3) Follow the skill's own security advice (webhook signature verification, never logging raw card data, using tokenization) and enforce PCI/regulatory requirements in production. If you need the assistant to generate deployment scripts that will run on your systems, review those scripts before execution.

Like a lobster shell, security has layers — review code before you run it.

latestvk970w05mtmknkbv4xhhbc4m1e98357b4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments