ClawHub

MagicPay

v0.1.12

Protected-form workflows through the magicpay CLI for prepared login, identity, and payment pages.

0· 172·0 current·0 all-time
byDmitry Ukhanov@xor777
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchasesRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (protected-form workflows via a magicpay CLI) match the declared needs: a magicpay binary, an API key (MAGICPAY_API_KEY), and a local config (~/.magicpay/config.json). These are all expected for a CLI-driven protected-form integration.
Instruction Scope
SKILL.md instructs the agent to run the magicpay CLI (status, attach, find-form, resolve-form, etc.) and to attach to a browser CDP endpoint. It explicitly forbids logging or printing protected values and limits when to ask the user. The instructions reference the local config only for diagnostics (doctor) and for storing the API key — behavior consistent with the described purpose.
Install Mechanism
Install uses a published npm package (@mercuryo-ai/magicpay-cli) which is expected for a CLI. This is a standard pattern but carries the usual npm-registry risks (third-party package provenance). No direct-download or obscure URL installs were used.
Credentials
Only MAGICPAY_API_KEY and a per-skill config path are required. No unrelated credentials or broad system environment access are requested; the primaryEnv aligns with the service.
Persistence & Privilege
The skill is not always-enabled and uses default autonomous invocation rules. It does not request elevated platform-wide persistence or to modify other skills' configs.
Assessment
This skill appears coherent for controlling a MagicPay CLI that attaches to a browser and resolves protected forms. Before installing: (1) Verify the npm package and author (review package page, repository, and recent release activity); (2) Treat the MAGICPAY_API_KEY as a sensitive secret — consider creating a scoped/limited key and prefer environment-only use or a short-lived key if supported; (3) Understand that the CLI will attach to a browser via a CDP endpoint (this gives the tool access to page DOM/state), so only attach to trusted browser instances/pages; (4) Follow the skill's guardrails — do not log or print protected values and do not run arbitrary shell commands returned by runtime output (use the recommended npm update command if needed); (5) If you need stronger assurance, inspect the CLI package source before installing or run it in an isolated environment. Overall the skill's requests and instructions match its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

http-apivk972j9gjpd9w2cja5nbv51gk8183m98nlatestvk97e5gtm2ykk809nxphjw7fc0d84ywkkmagicpayvk972j9gjpd9w2cja5nbv51gk8183m98npaymentsvk972j9gjpd9w2cja5nbv51gk8183m98nsecretsvk972j9gjpd9w2cja5nbv51gk8183m98n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsmagicpay
EnvMAGICPAY_API_KEY
Config~/.magicpay/config.json
Primary envMAGICPAY_API_KEY

Install

Install MagicPay CLI (npm)
Bins: magicpay
npm i -g @mercuryo-ai/magicpay-cli

Comments