Tencent SkillHub · Security & Compliance

PayPal

Integrate PayPal payments with proper webhook verification, OAuth handling, and security validation for checkout flows and subscriptions.

skill openclawclawhub Free

0 Downloads

0 Stars

0 Installs

0 Score

High Signal

Integrate PayPal payments with proper webhook verification, OAuth handling, and security validation for checkout flows and subscriptions.

⬇ 0 downloads ★ 0 stars Unverified but indexed

Install for OpenClaw

Quick setup

Download the package from Yavira.
Extract the archive and review SKILL.md first.
Import or place the package into your OpenClaw setup.

Requirements

Target platform: OpenClaw
Install method: Manual import
Extraction: Extract archive
Prerequisites: OpenClaw
Primary doc: SKILL.md

Package facts

Download mode: Yavira redirect
Package format: ZIP package
Source platform: Tencent SkillHub
What's included: SKILL.md, patterns.md, webhooks.md

Validation

Use the Yavira download entry.
Review SKILL.md after the package is downloaded.
Confirm the extracted package contains the expected setup assets.

Install with your agent

Agent handoff

Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.

Download the package from Yavira.
Extract it into a folder your agent can access.
Paste one of the prompts below and point your agent at the extracted folder.

New install

I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.

Upgrade existing

I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.

Open Send to Agent page Open JSON manifest Open Markdown brief

Trust & source

Release facts

Source: Tencent SkillHub
Verification: Indexed source record
Version: 1.0.0

Provenance

Publisher: ivangdavila
Source page: View original listing
Canonical URL: Open canonical page

Documentation

ClawHub primary doc Primary doc: SKILL.md 10 sections Open source page

When to Use

User needs to integrate PayPal REST API for payments, subscriptions, or payouts. Agent handles checkout flows, webhook verification, OAuth token management, and dispute workflows.

Quick Reference

TopicFileCode patternspatterns.mdWebhook eventswebhooks.md

1. Environment URLs are Different

Sandbox: api.sandbox.paypal.com Production: api.paypal.com Ask which environment BEFORE generating code Credentials are environment-specific — never mix

2. OAuth Token Management

// Token expires ~8 hours — handle refresh const getToken = async () => { const res = await fetch('https://api.paypal.com/v1/oauth2/token', { method: 'POST', headers: { 'Authorization': `Basic ${Buffer.from(`${clientId}:${secret}`).toString('base64')}`, 'Content-Type': 'application/x-www-form-urlencoded' }, body: 'grant_type=client_credentials' }); return res.json(); // { access_token, expires_in } }; Never hardcode tokens. Implement refresh logic.

3. Webhook Verification is Mandatory

PayPal webhooks MUST be verified via API call — not simple HMAC: // POST /v1/notifications/verify-webhook-signature const verification = await fetch('https://api.paypal.com/v1/notifications/verify-webhook-signature', { method: 'POST', headers: { 'Authorization': `Bearer ${token}`, 'Content-Type': 'application/json' }, body: JSON.stringify({ auth_algo: headers['paypal-auth-algo'], cert_url: headers['paypal-cert-url'], transmission_id: headers['paypal-transmission-id'], transmission_sig: headers['paypal-transmission-sig'], transmission_time: headers['paypal-transmission-time'], webhook_id: WEBHOOK_ID, webhook_event: body }) }); // verification_status === 'SUCCESS'

4. CAPTURE vs AUTHORIZE — Ask First

IntentBehaviorCAPTURECharges immediately on approvalAUTHORIZEReserves funds, capture later (up to 29 days) Changing intent after integration breaks the entire flow.

5. Server-Side Validation — Never Trust Client

// After client approves, VERIFY on server before fulfillment const order = await fetch(`https://api.paypal.com/v2/checkout/orders/${orderId}`, { headers: { 'Authorization': `Bearer ${token}` } }).then(r => r.json()); // Validate ALL of these: if (order.status !== 'APPROVED') throw new Error('Not approved'); if (order.purchase_units[0].amount.value !== expectedAmount) throw new Error('Amount mismatch'); if (order.purchase_units[0].amount.currency_code !== expectedCurrency) throw new Error('Currency mismatch'); if (order.purchase_units[0].payee.merchant_id !== YOUR_MERCHANT_ID) throw new Error('Wrong merchant');

6. Idempotency in Webhooks

PayPal may send the same webhook multiple times: const processed = await db.webhooks.findOne({ eventId: body.id }); if (processed) return res.status(200).send('Already processed'); await db.webhooks.insert({ eventId: body.id, processedAt: new Date() }); // Now process the event

7. Currency Decimal Rules

Some currencies have NO decimal places: CurrencyDecimalsExampleUSD, EUR2"10.50"JPY, TWD0"1050" (NOT "1050.00") Sending "10.50" for JPY = API error.

Common Traps

IPN vs Webhooks — IPN is legacy. Use Webhooks for new integrations. Never mix. Order states — CREATED → APPROVED → COMPLETED (or VOIDED). Handle ALL states, not just happy path. Decimal confusion — PayPal uses strings for amounts ("10.50"), not floats. Some currencies forbid decimals. Sandbox rate limits — Lower than production. Don't assume prod will fail the same way. Payout vs Payment — Payouts API is separate. Don't confuse sending money (Payouts) with receiving (Orders).

Category context

Identity, auth, scanning, governance, audit, and operational guardrails.

Source: Tencent SkillHub

Largest current source with strong distribution and engagement signals.

Package contents

Included in package

3 Docs

SKILL.md Primary doc
patterns.md Docs
webhooks.md Docs