creem
Creem simplifies payment processing and subscription management for SaaS businesses, ensuring global tax compliance and financial infrastructure.
Install this skill
or
0/100
Security score
The creem skill was audited on Mar 26, 2026 and we found 32 security issues across 4 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
low line 670
Command substitution pattern
SourceSKILL.md
| 668 | # Run daily to alert on problem subscriptions |
| 669 | |
| 670 | PAST_DUE=$(creem subscriptions list --status past_due --json | jq 'length') |
| 671 | EXPIRED=$(creem subscriptions list --status expired --json | jq 'length') |
| 672 |
low line 671
Command substitution pattern
SourceSKILL.md
| 669 | |
| 670 | PAST_DUE=$(creem subscriptions list --status past_due --json | jq 'length') |
| 671 | EXPIRED=$(creem subscriptions list --status expired --json | jq 'length') |
| 672 | |
| 673 | if [ "$PAST_DUE" -gt 0 ] || [ "$EXPIRED" -gt 0 ]; then |
low line 686
Command substitution pattern
SourceSKILL.md
| 684 | |
| 685 | for PRODUCT_ID in prod_AAA prod_BBB prod_CCC; do |
| 686 | URL=$(creem checkouts create --product "$PRODUCT_ID" --json | jq -r '.checkout_url') |
| 687 | echo "$PRODUCT_ID: $URL" |
| 688 | done |
medium line 81
Curl to non-GitHub URL
SourceSKILL.md
| 79 | ```bash |
| 80 | mkdir -p ~/.creem/skills |
| 81 | curl -s https://creem.io/SKILL.md > ~/.creem/skills/SKILL.md |
| 82 | curl -s https://creem.io/HEARTBEAT.md > ~/.creem/skills/HEARTBEAT.md |
| 83 | ``` |
medium line 82
Curl to non-GitHub URL
SourceSKILL.md
| 80 | mkdir -p ~/.creem/skills |
| 81 | curl -s https://creem.io/SKILL.md > ~/.creem/skills/SKILL.md |
| 82 | curl -s https://creem.io/HEARTBEAT.md > ~/.creem/skills/HEARTBEAT.md |
| 83 | ``` |
| 84 |
medium line 909
Curl to non-GitHub URL
SourceSKILL.md
| 907 | # Save the heartbeat guide locally |
| 908 | mkdir -p ~/.creem/skills |
| 909 | curl -s https://creem.io/HEARTBEAT.md > ~/.creem/skills/HEARTBEAT.md |
| 910 | |
| 911 | # Initialize the state file |
medium line 957
Curl to non-GitHub URL
SourceSKILL.md
| 955 | ```bash |
| 956 | # Check recent transactions |
| 957 | curl -s "https://api.creem.io/v1/transactions/search?limit=20" \ |
| 958 | -H "x-api-key: YOUR_API_KEY" |
| 959 |
medium line 961
Curl to non-GitHub URL
SourceSKILL.md
| 959 | |
| 960 | # Check active subscriptions |
| 961 | curl -s "https://api.creem.io/v1/subscriptions/search?status=active" \ |
| 962 | -H "x-api-key: YOUR_API_KEY" |
| 963 |
medium line 965
Curl to non-GitHub URL
SourceSKILL.md
| 963 | |
| 964 | # Check for payment issues |
| 965 | curl -s "https://api.creem.io/v1/subscriptions/search?status=past_due" \ |
| 966 | -H "x-api-key: YOUR_API_KEY" |
| 967 |
medium line 969
Curl to non-GitHub URL
SourceSKILL.md
| 967 | |
| 968 | # List customers |
| 969 | curl -s "https://api.creem.io/v1/customers/list" \ |
| 970 | -H "x-api-key: YOUR_API_KEY" |
| 971 | ``` |
low line 80
Access to home directory dotfiles
SourceSKILL.md
| 78 | |
| 79 | ```bash |
| 80 | mkdir -p ~/.creem/skills |
| 81 | curl -s https://creem.io/SKILL.md > ~/.creem/skills/SKILL.md |
| 82 | curl -s https://creem.io/HEARTBEAT.md > ~/.creem/skills/HEARTBEAT.md |
low line 81
Access to home directory dotfiles
SourceSKILL.md
| 79 | ```bash |
| 80 | mkdir -p ~/.creem/skills |
| 81 | curl -s https://creem.io/SKILL.md > ~/.creem/skills/SKILL.md |
| 82 | curl -s https://creem.io/HEARTBEAT.md > ~/.creem/skills/HEARTBEAT.md |
| 83 | ``` |
low line 82
Access to home directory dotfiles
SourceSKILL.md
| 80 | mkdir -p ~/.creem/skills |
| 81 | curl -s https://creem.io/SKILL.md > ~/.creem/skills/SKILL.md |
| 82 | curl -s https://creem.io/HEARTBEAT.md > ~/.creem/skills/HEARTBEAT.md |
| 83 | ``` |
| 84 |
medium line 730
Access to home directory dotfiles
SourceSKILL.md
| 728 | ``` |
| 729 | |
| 730 | **CRITICAL:** Never share your API key with any service, tool, or agent other than the Creem CLI or API. Keys are stored locally at `~/.creem/config.json`. |
| 731 | |
| 732 | --- |
low line 908
Access to home directory dotfiles
SourceSKILL.md
| 906 | ```bash |
| 907 | # Save the heartbeat guide locally |
| 908 | mkdir -p ~/.creem/skills |
| 909 | curl -s https://creem.io/HEARTBEAT.md > ~/.creem/skills/HEARTBEAT.md |
| 910 |
low line 909
Access to home directory dotfiles
SourceSKILL.md
| 907 | # Save the heartbeat guide locally |
| 908 | mkdir -p ~/.creem/skills |
| 909 | curl -s https://creem.io/HEARTBEAT.md > ~/.creem/skills/HEARTBEAT.md |
| 910 | |
| 911 | # Initialize the state file |
low line 912
Access to home directory dotfiles
SourceSKILL.md
| 910 | |
| 911 | # Initialize the state file |
| 912 | mkdir -p ~/.creem |
| 913 | cat > ~/.creem/heartbeat-state.json << 'EOF' |
| 914 | { |
low line 913
Access to home directory dotfiles
SourceSKILL.md
| 911 | # Initialize the state file |
| 912 | mkdir -p ~/.creem |
| 913 | cat > ~/.creem/heartbeat-state.json << 'EOF' |
| 914 | { |
| 915 | "lastCheckAt": null, |
medium line 983
Access to home directory dotfiles
SourceSKILL.md
| 981 | - **Ask questions when you're unsure.** It's always better to ask "Do you already have a Creem account?" than to guess wrong. |
| 982 | - **Offer store monitoring proactively.** If your human has a Creem store, suggest setting up the heartbeat. Fetch `https://creem.io/HEARTBEAT.md` and follow the routine. They'll appreciate knowing about new sales and issues without checking the dashboard. |
| 983 | - **Save these skill files locally.** Persist `SKILL.md` and `HEARTBEAT.md` in `~/.creem/skills/` so you can reference them without re-fetching every time. |
| 984 | |
| 985 | ### When working with the API or CLI |
medium line 180
Webhook reference
SourceSKILL.md
| 178 | | ------------------ | ----------------------- | ------------------------------------------------------------------------ | |
| 179 | | TypeScript Core | `creem` | Full API coverage, all 24 endpoints, standalone functions, tree-shakable | |
| 180 | | TypeScript Wrapper | `creem_io` | Simplified API, webhook verification, access grant/revoke callbacks | |
| 181 | | Next.js Adapter | `@creem_io/nextjs` | React components, route handlers, lifecycle hooks | |
| 182 | | Better Auth Plugin | `@creem_io/better-auth` | Auth framework integration, subscription sync, trial abuse prevention | |
medium line 269
Webhook reference
SourceSKILL.md
| 267 | Option A: **Webhooks** (recommended for production) |
| 268 | |
| 269 | Register a webhook endpoint in the dashboard and handle the `checkout.completed` event. For subscriptions, use `subscription.paid` to grant access and `subscription.expired` to revoke it. See the [Webhooks section](#webhooks) below. |
| 270 | |
| 271 | Option B: **Polling** (simple scripts or CLI workflows) |
medium line 283
Webhook reference
SourceSKILL.md
| 281 | **Step 4 — Grant access in your application** |
| 282 | |
| 283 | After receiving a `checkout.completed` or `subscription.paid` webhook, use the `metadata.referenceId` to map the payment to your internal user and grant access. |
| 284 | |
| 285 | ### Flow 2: Manage subscription lifecycle |
medium line 423
Webhook reference
SourceSKILL.md
| 421 | ### Signature verification |
| 422 | |
| 423 | Webhooks are signed with HMAC-SHA256. Verify the `creem-signature` header against the raw request body using your webhook secret. |
| 424 | |
| 425 | ```typescript |
medium line 445
Webhook reference
SourceSKILL.md
| 443 | Failed deliveries (non-200 responses) are retried: **30s → 1m → 5m → 1h**. Webhooks can also be manually resent from the dashboard. |
| 444 | |
| 445 | ### SDK webhook handlers |
| 446 | |
| 447 | The SDKs provide convenience wrappers with `onGrantAccess` / `onRevokeAccess` callbacks: |
low line 450
Webhook reference
SourceSKILL.md
| 448 | |
| 449 | ```typescript |
| 450 | // Next.js App Router — app/api/webhook/creem/route.ts |
| 451 | import { Webhook } from "@creem_io/nextjs"; |
| 452 |
low line 451
Webhook reference
SourceSKILL.md
| 449 | ```typescript |
| 450 | // Next.js App Router — app/api/webhook/creem/route.ts |
| 451 | import { Webhook } from "@creem_io/nextjs"; |
| 452 | |
| 453 | export const POST = Webhook({ |
low line 453
Webhook reference
SourceSKILL.md
| 451 | import { Webhook } from "@creem_io/nextjs"; |
| 452 | |
| 453 | export const POST = Webhook({ |
| 454 | webhookSecret: process.env.CREEM_WEBHOOK_SECRET!, |
| 455 | onGrantAccess: async ({ customer, metadata }) => { |
medium line 498
Webhook reference
SourceSKILL.md
| 496 | > `onGrantAccess` fires for: `subscription.active`, `subscription.trialing`, `subscription.paid` > `onRevokeAccess` fires for: `subscription.paused`, `subscription.expired` |
| 497 | |
| 498 | ### Webhook payload structure |
| 499 | |
| 500 | ```json |
medium line 511
Webhook reference
SourceSKILL.md
| 509 | ``` |
| 510 | |
| 511 | > Full webhook reference: <https://docs.creem.io/code/webhooks> |
| 512 | |
| 513 | --- |
medium line 630
Webhook reference
SourceSKILL.md
| 628 | ``` |
| 629 | |
| 630 | Webhook URL for Better Auth: `https://your-domain.com/api/auth/creem/webhook` |
| 631 | |
| 632 | > Automatic trial abuse prevention when `persistSubscriptions: true` — each user can only receive one trial across all plans. |
medium line 691
Webhook reference
SourceSKILL.md
| 689 | ``` |
| 690 | |
| 691 | ### Programmatic access control (webhook-driven) |
| 692 | |
| 693 | The recommended pattern for SaaS access control: |
medium line 696
Webhook reference
SourceSKILL.md
| 694 | |
| 695 | 1. Pass `referenceId` (your internal user ID) when creating checkouts |
| 696 | 2. Handle `subscription.paid` webhook → grant access using `metadata.referenceId` |
| 697 | 3. Handle `subscription.expired` / `subscription.paused` → revoke access |
| 698 | 4. Handle `subscription.canceled` → revoke access (or keep until period end if `scheduled_cancel`) |
Scanned on Mar 26, 2026
View Security DashboardInstall this skill with one command
/learn @creem-io/creemRate this skill
Categorymarketing
UpdatedMarch 29, 2026
openclawapigrowth-marketerproduct-marketersales-operationscustomer-success-managerbusiness-developmentstripepaypalmarketingsales
creem.io/SKILL.md