by 安全扫描
OpenClaw
安全
medium confidenceThe playbook is internally consistent with its stated purpose (a multi-rail payments guide) and the environment variables it requests are plausible for that purpose, but there are a few minor inconsistencies and sensitive-credential risks you should be aware of before using live keys.
评估建议
This is an instructional playbook and the requested environment variables align with its purpose, but those variables are sensitive and could be used to make real payments. Before installing or running examples: (1) use sandbox/test keys only; (2) create minimally-scoped API keys in Stripe/GreenHelix (payment-intent-only, sandbox mode) and avoid production keys; (3) keep the AGENT_SIGNING_KEY offline or use a test signing key and protect it with hardware or a secrets manager if possible; (4) rev...详细分析 ▾
✓ 用途与能力
The skill is a payments playbook referencing a GreenHelix gateway and Stripe; requesting GREENHELIX_API_KEY, STRIPE_API_KEY, and an AGENT_SIGNING_KEY is consistent with building and running the integrations the guide describes. Minor inconsistency: the guide text says the GreenHelix sandbox requires no API key to get started, while the metadata declares GREENHELIX_API_KEY as required.
ℹ 指令范围
SKILL.md contains working Python examples intended to run against the GreenHelix API and Stripe and states examples have been 'tested against the live gateway.' That is expected for a playbook but creates financial risk if users run examples with production keys. The guide does not appear to direct reading unrelated system files or exfiltrating data to unexpected endpoints, but it does presume access to sensitive keys and to the gateway/Stripe endpoints.
✓ 安装机制
Instruction-only skill with no install spec and no code files. Nothing will be written to disk by the skill itself — low install risk.
ℹ 凭证需求
Three environment variables are requested and each maps to a plausible capability: gateway access (GREENHELIX_API_KEY), agent identity/signing (AGENT_SIGNING_KEY), and card payments (STRIPE_API_KEY). These are sensitive credentials. The guide claims STRIPE_API_KEY is 'scoped to payment intents only'—you should ensure minimal scopes and use test keys. The requirement to supply AGENT_SIGNING_KEY is reasonable for KYA flows but is sensitive: do not supply high-privilege or production signing keys to untrusted agents.
✓ 持久化与权限
always is false and the skill does not request system-wide config changes. The skill is user-invocable and model-invocation is enabled (the platform default); combined with payment credentials this means an agent with these credentials could initiate transactions if you let it run code — this is normal for integration tasks but worth guarding with test keys and restricted scopes.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.3.12026/4/9
- Added a `metadata` section specifying required environment variables for OpenClaw compatibility. - Listed all necessary environment variables (`GREENHELIX_API_KEY`, `AGENT_SIGNING_KEY`, `STRIPE_API_KEY`) in an OpenClaw-friendly format. - Set `GREENHELIX_API_KEY` as the primary environment variable for use with OpenClaw. - No changes to guide content or code examples.
● 可疑
安装命令
点击复制官方npx clawhub@latest install greenhelix-agent-payment-rails-playbook
镜像加速npx clawhub@latest install greenhelix-agent-payment-rails-playbook --registry https://cn.longxiaskill.com