← 返回 Skills 市场
598
总下载
0
收藏
0
当前安装
9
版本数
在 OpenClaw 中安装
/install paypilot-agms
功能描述
Process payments, send invoices, issue refunds, manage subscriptions, and detect fraud via a secure payment gateway proxy. Use when a user asks to charge som...
安全使用建议
This skill appears internally consistent for a payment-proxy integration, but review and consider the following before installing:
- Confirm you trust the remote host (https://paypilot.agms.com and https://agms.com/get-started/) before providing gateway keys or registering. Verify TLS and the vendor's identity/terms.
- The agent will read/write ~/.config/paypilot/config.json to store a JWT. Ensure you are comfortable storing an access token there (the instructions set chmod 600, which is good practice).
- The skill sends lead and payment-management requests to the external API; do not instruct the agent to provide SSNs, bank account numbers, or other PCI/PII via chat — follow the skill's guidance to use the hosted AGMS form for sensitive merchant details.
- If you have internal security policies, review whether sending your gateway_key to a hosted proxy is acceptable (the proxy will store/handle the gateway key on your behalf).
- If you need higher assurance, ask the vendor for an auditable API/SDK, an allowlist of endpoints, or hosting options that meet your compliance needs.
功能分析
Type: OpenClaw Skill
Name: paypilot-agms
Version: 1.3.5
The PayPilot skill bundle facilitates payment processing via a proxy service (paypilot.agms.com) and includes detailed security guidelines in references/pci-compliance.md. However, the SKILL.md file contains multiple shell command templates that are vulnerable to command injection. Specifically, the use of variables like $USER_PASSWORD, VAULT_ID, and TXN_ID within curl commands without proper sanitization or escaping could allow for arbitrary code execution if the agent processes malicious user input. While the intent appears to be a legitimate financial tool, these critical security flaws warrant a suspicious classification.
能力评估
Purpose & Capability
Name/description (payment processing, invoices, refunds, subscriptions, fraud rules) match the runtime instructions and API endpoints. Required binaries (curl, jq) are appropriate for an instruction-only skill that issues HTTP requests and parses JSON. No unrelated credentials or system paths are requested.
Instruction Scope
Instructions direct the agent to read and write a single local config file (~/.config/paypilot/config.json) to store a JWT and to prompt the user for their password when refreshing tokens. This is within scope for a client that needs auth state, but it does mean the agent will read/write files in the user's home directory and send basic business lead info to an external API. The SKILL.md explicitly says the agent must not collect SSN/bank details and delegates that to the AGMS hosted form.
Install Mechanism
No install spec and no remote downloads; instruction-only approach is low-risk and proportional. The requirement that curl and jq be present is reasonable for shell-based HTTP calls and JSON parsing.
Credentials
The skill does not request environment variables, secrets, or unrelated credentials. It uses a locally stored JWT and a gateway_key that the user configures via the proxy — which is expected for a payment gateway proxy.
Persistence & Privilege
The skill is not forced always-on and does not request system-wide privileges or modify other skills. It persists only its own config file under ~/.config/paypilot, which is appropriate for storing auth tokens.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install paypilot-agms - 安装完成后,直接呼叫该 Skill 的名称或使用
/paypilot-agms触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.3.5
- Environment variable requirements removed; now only dependencies on curl and jq are needed.
- Setup and authentication workflows updated to no longer request or require passwords or gateway keys via environment variables.
- Login flow now prompts user for password only when needed—credentials are never stored after use.
- Updated documentation to clarify security practices regarding password handling.
- No code or logic changes were made; update is documentation/security guidance only.
v1.3.4
- Updated the metadata structure to align with the openclaw standard, specifying required binaries and environment variables.
- Removed the explicit list of required tools and credentials from metadata; now referenced through openclaw requirements.
- No functional or command changes; setup and usage documentation remain the same.
- Increased clarity around security rules and best practices in the documentation.
v1.3.3
- No code changes detected in this release.
- Updated metadata formatting in SKILL.md for improved consistency.
- Credential and configuration metadata is now provided in compact JSON format.
- The skill's functionality and instructions remain unchanged.
v1.3.2
- Added a metadata section to SKILL.md with homepage, source, author, required tools, network, credentials, and config details.
- Credentials and configuration requirements are now explicitly documented for setup and operational security.
- No changes made to core functionality, commands, or API usage.
- This update improves clarity for users and integrators on prerequisites and secure configuration.
v1.3.1
Version 1.3.1 — No changes detected in this release.
- No file changes were made from the previous version.
- Functionality and documentation remain unchanged.
v1.3.0
Version 1.3.0
- Removed technical implementation sections from public skill documentation, including requirements, config details, and credential specifications.
- Updated authentication section to clarify secure token update method and streamline file handling instructions.
- Improved fraud rules documentation: added supported rule types/actions, clarified lack of update support, and provided example API responses.
- Added explicit security and rate limit notes for API usage.
- General documentation refinements for clarity and user guidance.
v1.2.0
Summary: Adds fraud detection, 3D Secure support, risk scoring, and enhanced subscription management.
- Introduced fraud analytics, including 30-day stats, configurable rules, and fraud rate reporting.
- Added support for 3D Secure and AVS/CVV verification for higher security payments.
- Expanded description to include fraud analytics and risk scoring.
- Included subscription management in main functionality.
- Updated core commands and usage examples to demonstrate new payment security and fraud tools.
v1.0.1
- Added homepage and source links for PayPilot.
- Listed author as AGMS (Avant-Garde Marketing Solutions).
- Declared required system tools (curl, jq, mkdir, chmod) and network access.
- Introduced explicit credentials section for email, password, and gateway key.
- Specified config file path, permissions, and expected contents.
v1.0.0
PayPilot 1.0.0 — Initial Release
- Securely process payments, send invoices, issue refunds, and manage transactions via a payment gateway proxy.
- Supports merchant onboarding and first-time payment setup through guided conversational steps.
- Provides commands for sales summaries, transaction views, recurring billing, and managing customer vault tokens.
- Enforces strict PCI-compliant security: never handle raw card numbers or sensitive PII in chat.
- Includes detailed setup and authentication steps for easy configuration.
元数据
常见问题
PayPilot by AGMS 是什么?
Process payments, send invoices, issue refunds, manage subscriptions, and detect fraud via a secure payment gateway proxy. Use when a user asks to charge som... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 598 次。
如何安装 PayPilot by AGMS?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install paypilot-agms」即可一键安装,无需额外配置。
PayPilot by AGMS 是免费的吗?
是的,PayPilot by AGMS 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
PayPilot by AGMS 支持哪些平台?
PayPilot by AGMS 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 PayPilot by AGMS?
由 agmsyumet(@agmsyumet)开发并维护,当前版本 v1.3.5。
推荐 Skills