PayPal

Integrate PayPal payments with proper webhook verification, OAuth handling, and security validation for checkout flows and subscriptions.

This skill contains detailed, standard PayPal integration guidance, but the package metadata omits the credentials and config it actually needs. Before installing or using it: 1) Ask the publisher for the source code or homepage and a list of required environment variables (client ID, client secret, WEBHOOK_ID, merchant ID, DB connection info). 2) Do not paste secrets into chat — store PayPal credentials in a secure secret store and bind them only to the runtime you control. 3) Verify webhook verification is implemented exactly as shown (verify-webhook-signature) and point webhooks to an authenticated, HTTPS endpoint. 4) Confirm how the skill expects to access your database (what DB, schema, and credentials) and restrict those credentials to minimal privileges. 5) Prefer testing in PayPal sandbox(s) before production. If the publisher updates the registry metadata to explicitly declare the required env vars and credential scope, and provides a trusted source or repo, re-evaluate — that would reduce the concerns.

Type: OpenClaw Skill Name: paypal Version: 1.0.0 The OpenClaw AgentSkills bundle for PayPal integration is benign. All code examples and instructions provided in SKILL.md, patterns.md, and webhooks.md are directly related to integrating with the legitimate PayPal API endpoints (e.g., api.paypal.com, www.paypal.com). The skill emphasizes security best practices such as OAuth token management, mandatory webhook verification, server-side validation, and idempotency. There is no evidence of data exfiltration, unauthorized command execution, persistence mechanisms, or prompt injection attempts against the agent to perform malicious actions. The `ngrok` command in `webhooks.md` is a testing instruction for a human developer, not an instruction for the AI agent to execute as part of its core skill functionality.