near-getpay
Facilitates crypto payments through a user-friendly page, integrating with PingPay and HOT PAY for seamless transactions.
Install this skill
Security score
The near-getpay skill was audited on Feb 28, 2026 and we found 40 security issues across 4 threat categories, including 1 critical. Review the findings below before installing.
Categories Tested
Security Issues
Direct command execution function call
| 210 | const tunnel = spawn('ngrok', ['http', PORT.toString()]); |
Direct command execution function call
| 213 | const tunnel = spawn('cloudflared', ['tunnel', '--url', `http://localhost:${PORT}`]); |
Direct command execution function call
| 216 | const tunnel = spawn('npx', ['localtunnel', '--port', PORT.toString()]); |
Template literal with variable interpolation in command context
| 213 | const tunnel = spawn('cloudflared', ['tunnel', '--url', `http://localhost:${PORT}`]); |
Webhook reference - potential data exfiltration
| 219 | ### Webhook Integration (HOT PAY only) |
Webhook reference - potential data exfiltration
| 221 | HOT PAY sends webhooks to `/webhook/hotpay`. To use: |
Webhook reference - potential data exfiltration
| 224 | 2. Configure webhook URL in HOT PAY dashboard |
Webhook reference - potential data exfiltration
| 290 | - ✅ Webhook signature verification (HOT PAY) |
Ngrok tunnel reference
| 128 | Or use your own reverse proxy (Cloudflare Tunnel, ngrok paid, etc.) |
Ngrok tunnel reference
| 209 | // Option 1: ngrok |
Ngrok tunnel reference
| 210 | const tunnel = spawn('ngrok', ['http', PORT.toString()]); |
Access to hidden dotfiles in home directory
| 41 | cd ~/.openclaw/skills |
Access to hidden dotfiles in home directory
| 141 | 4. Run: cd ~/.openclaw/skills/near-getpay && ./start.sh |
Access to hidden dotfiles in home directory
| 270 | Run: `ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa -N ""` |
Access to hidden dotfiles in home directory
| 319 | cd ~/.openclaw/skills |
Access to SSH directory
| 270 | Run: `ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa -N ""` |
Access to .env file
| 54 | - Add to `.env`: `PINGPAY_API_KEY=your_key_here` |
Access to .env file
| 60 | - Copy each `item_id` and add to `.env` |
Access to .env file
| 64 | Copy `.env.example` to `.env`: |
Access to .env file
| 67 | cp .env.example .env |
Access to .env file
| 70 | Edit `.env`: |
Access to .env file
| 113 | **The recipient address (where payments go) is configured at the provider level, NOT in the .env file:** |
Access to .env file
| 118 | The `RECIPIENT_ADDRESS` in `.env` is **only for display** on the payment page. To change where payments actually go, update your provider's dashboard settings. |
Access to .env file
| 161 | 4. Share it with me (or add to .env yourself) |
Access to .env file
| 184 | ├── .env.example ← Config template |
Access to .env file
| 185 | ├── .env ← Your config (gitignored) |
Access to .env file
| 198 | Edit `.env`: |
Access to .env file
| 287 | - ✅ API keys stored in `.env` (gitignored) |
Access to .env file
| 292 | **Never commit `.env` to git!** |
External URL reference
| 51 | - Sign up at https://pingpay.io |
External URL reference
| 57 | - Visit https://pay.hot-labs.org/admin/overview |
External URL reference
| 107 | Share the generated `https://xxxxx.lhr.life` URL to accept payments! |
External URL reference
| 124 | 1. Sign up at https://admin.localhost.run/ |
External URL reference
| 158 | 1. Sign up at https://pingpay.io |
External URL reference
| 172 | https://abc123xyz.lhr.life |
External URL reference
| 213 | const tunnel = spawn('cloudflared', ['tunnel', '--url', `http://localhost:${PORT}`]); |
External URL reference
| 266 | Visit `http://localhost:3000/setup` to see setup instructions. |
External URL reference
| 327 | 1. Visit https://clawhub.com |
External URL reference
| 335 | - **PingPay**: https://pingpay.io/docs |
External URL reference
| 336 | - **HOT PAY**: https://pay.hot-labs.org/admin |