← Back to Skills Marketplace
ivangdavila

Paddle

by Iván · GitHub ↗ · v1.0.0
linuxdarwinwin32 ⚠ suspicious
456
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install paddle
Description
Integrate Paddle payments with subscriptions, webhooks, checkout, and tax compliance.
Usage Guidance
This skill's content appears to be a legitimate Paddle integration, but there are important inconsistencies you should resolve before installing or allowing an agent to use it autonomously: - Confirm environment variables: The docs use PADDLE_API_KEY and PADDLE_WEBHOOK_SECRET but the registry lists none. Require that the developer (or you) declare these env vars explicitly and keep keys in environment variables or a secure vault — do not store secrets in ~/paddle/memory.md. - Review local storage: The skill writes to ~/paddle/. Inspect that directory and the memory.md file format to ensure no plaintext secrets are saved. If you allow the agent to create files there, restrict their contents and file permissions. - Limit code access: The guidance to 'observe their code' could cause the agent to read unrelated source files. If you want the agent to inspect only specific repos or paths, enforce that constraint before use. - Verify webhook handling: Ensure webhook verification uses the webhook secret and timing-safe comparison as shown. Test only in sandbox until you confirm behavior. - Be cautious with CLI installs: The docs suggest installing the Paddle CLI (npm). Only run such installs from trusted sources and in controlled environments (sandbox/container) if you plan to follow that step. If you need higher assurance, ask the skill author to (1) list required env vars and binaries in the registry metadata, (2) explicitly state that memory.md will never contain secrets, and (3) narrow any instructions that read the user's codebase to specific, documented paths. If those clarifications are not available, treat the skill as suspicious and use it only in a constrained sandbox environment.
Capability Analysis
Type: OpenClaw Skill Name: paddle Version: 1.0.0 The OpenClaw AgentSkills skill bundle for Paddle integration is benign. It provides comprehensive documentation and code examples for integrating Paddle payments, with a strong emphasis on security best practices. Key indicators include explicit instructions for the agent to 'Always Use Sandbox First' and 'Verify Webhook Signatures' (SKILL.md, webhooks.md), secure handling of API keys via environment variables, and correct implementation of webhook signature verification using constant-time comparison (webhooks.md). The skill transparently outlines data handling, stating what data is sent to Paddle (expected for a payment processor) and what remains local. There is no evidence of malicious intent, unauthorized data exfiltration, persistence mechanisms, or prompt injection designed to subvert the agent for harmful purposes. The suggested `npm install -g @paddle/paddle-cli` command in `webhooks.md` is for a legitimate development tool and is presented transparently for its stated purpose of webhook testing.
Capability Assessment
Purpose & Capability
The name/description (Paddle payments, subscriptions, webhooks, checkout, tax) matches the provided docs and examples. However, the skill references sensitive runtime items (PADDLE_API_KEY, PADDLE_WEBHOOK_SECRET) and the Paddle CLI, yet the registry metadata lists no required environment variables or binaries — this mismatch is unexpected and should be clarified.
Instruction Scope
Runtime docs instruct the agent to read/write local memory in ~/paddle/, to save integration state, and contain guidance like 'observe their code, don't interrogate' which implicitly encourages the agent to inspect the user's codebase; the skill does not enumerate what filesystem paths are allowed. The docs also give examples that reference environment variables (PADDLE_API_KEY, PADDLE_WEBHOOK_SECRET) and recommend installing the Paddle CLI via npm, but the instructions do not explicitly constrain file or repo access — this broad scope could let the agent read unrelated files or accidentally store secrets in plain memory.
Install Mechanism
There is no install spec (instruction-only), which is lower risk, but the documentation recommends running npm install -g @paddle/paddle-cli for webhook testing. The lack of declared required binaries yet recommending a global npm install is an inconsistency the user should expect to resolve manually.
Credentials
Registry metadata declares no required environment variables, but api.md and webhooks.md clearly show use of PADDLE_API_KEY and PADDLE_WEBHOOK_SECRET. The architecture and memory references are inconsistent: some files imply API keys live in environment variables, other places show memory.md containing 'API keys, environment, product IDs'. This ambiguity is a security concern — secrets must be minimised, stored in env vars or secure vaults, and never written to a plaintext memory file.
Persistence & Privilege
The skill persists integration state under ~/paddle/ (memory.md and webhooks.md). Persisting local integration metadata is reasonable for this purpose, and always:false means it won't be force-included. Still, the guidelines should explicitly forbid storing secrets in that persisted memory file; currently the files contain mixed guidance about where keys live.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install paddle
  3. After installation, invoke the skill by name or use /paddle
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release with API reference, webhook handling, and checkout integration.
Metadata
Slug paddle
Version 1.0.0
License
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is Paddle?

Integrate Paddle payments with subscriptions, webhooks, checkout, and tax compliance. It is an AI Agent Skill for Claude Code / OpenClaw, with 456 downloads so far.

How do I install Paddle?

Run "/install paddle" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Paddle free?

Yes, Paddle is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Paddle support?

Paddle is cross-platform and runs anywhere OpenClaw / Claude Code is available (linux, darwin, win32).

Who created Paddle?

It is built and maintained by Iván (@ivangdavila); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments