# Send PayPal to your agent Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually. ## Fast path - Download the package from Yavira. - Extract it into a folder your agent can access. - Paste one of the prompts below and point your agent at the extracted folder. ## Suggested prompts ### New install ```text I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete. ``` ### Upgrade existing ```text I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run. ``` ## Machine-readable fields ```json { "schemaVersion": "1.0", "item": { "slug": "paypal", "name": "PayPal", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/ivangdavila/paypal", "canonicalUrl": "https://clawhub.ai/ivangdavila/paypal", "targetPlatform": "OpenClaw" }, "install": { "downloadUrl": "/downloads/paypal", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=paypal", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "packageFormat": "ZIP package", "primaryDoc": "SKILL.md", "includedAssets": [ "SKILL.md", "patterns.md", "webhooks.md" ], "downloadMode": "redirect", "sourceHealth": { "source": "tencent", "slug": "paypal", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-29T10:21:46.017Z", "expiresAt": "2026-05-06T10:21:46.017Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=paypal", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=paypal", "contentDisposition": "attachment; filename=\"paypal-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null, "slug": "paypal" }, "scope": "item", "summary": "Item download looks usable.", "detail": "Yavira can redirect you to the upstream package for this item.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/paypal" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] } }, "links": { "detailUrl": "https://openagent3.xyz/skills/paypal", "downloadUrl": "https://openagent3.xyz/downloads/paypal", "agentUrl": "https://openagent3.xyz/skills/paypal/agent", "manifestUrl": "https://openagent3.xyz/skills/paypal/agent.json", "briefUrl": "https://openagent3.xyz/skills/paypal/agent.md" } } ``` ## Documentation ### When to Use User needs to integrate PayPal REST API for payments, subscriptions, or payouts. Agent handles checkout flows, webhook verification, OAuth token management, and dispute workflows. ### Quick Reference TopicFileCode patternspatterns.mdWebhook eventswebhooks.md ### 1. Environment URLs are Different Sandbox: api.sandbox.paypal.com Production: api.paypal.com Ask which environment BEFORE generating code Credentials are environment-specific — never mix ### 2. OAuth Token Management // Token expires ~8 hours — handle refresh const getToken = async () => { const res = await fetch('https://api.paypal.com/v1/oauth2/token', { method: 'POST', headers: { 'Authorization': \`Basic ${Buffer.from(\`${clientId}:${secret}\`).toString('base64')}\`, 'Content-Type': 'application/x-www-form-urlencoded' }, body: 'grant_type=client_credentials' }); return res.json(); // { access_token, expires_in } }; Never hardcode tokens. Implement refresh logic. ### 3. Webhook Verification is Mandatory PayPal webhooks MUST be verified via API call — not simple HMAC: // POST /v1/notifications/verify-webhook-signature const verification = await fetch('https://api.paypal.com/v1/notifications/verify-webhook-signature', { method: 'POST', headers: { 'Authorization': \`Bearer ${token}\`, 'Content-Type': 'application/json' }, body: JSON.stringify({ auth_algo: headers['paypal-auth-algo'], cert_url: headers['paypal-cert-url'], transmission_id: headers['paypal-transmission-id'], transmission_sig: headers['paypal-transmission-sig'], transmission_time: headers['paypal-transmission-time'], webhook_id: WEBHOOK_ID, webhook_event: body }) }); // verification_status === 'SUCCESS' ### 4. CAPTURE vs AUTHORIZE — Ask First IntentBehaviorCAPTURECharges immediately on approvalAUTHORIZEReserves funds, capture later (up to 29 days) Changing intent after integration breaks the entire flow. ### 5. Server-Side Validation — Never Trust Client // After client approves, VERIFY on server before fulfillment const order = await fetch(\`https://api.paypal.com/v2/checkout/orders/${orderId}\`, { headers: { 'Authorization': \`Bearer ${token}\` } }).then(r => r.json()); // Validate ALL of these: if (order.status !== 'APPROVED') throw new Error('Not approved'); if (order.purchase_units[0].amount.value !== expectedAmount) throw new Error('Amount mismatch'); if (order.purchase_units[0].amount.currency_code !== expectedCurrency) throw new Error('Currency mismatch'); if (order.purchase_units[0].payee.merchant_id !== YOUR_MERCHANT_ID) throw new Error('Wrong merchant'); ### 6. Idempotency in Webhooks PayPal may send the same webhook multiple times: const processed = await db.webhooks.findOne({ eventId: body.id }); if (processed) return res.status(200).send('Already processed'); await db.webhooks.insert({ eventId: body.id, processedAt: new Date() }); // Now process the event ### 7. Currency Decimal Rules Some currencies have NO decimal places: CurrencyDecimalsExampleUSD, EUR2"10.50"JPY, TWD0"1050" (NOT "1050.00") Sending "10.50" for JPY = API error. ### Common Traps IPN vs Webhooks — IPN is legacy. Use Webhooks for new integrations. Never mix. Order states — CREATED → APPROVED → COMPLETED (or VOIDED). Handle ALL states, not just happy path. Decimal confusion — PayPal uses strings for amounts ("10.50"), not floats. Some currencies forbid decimals. Sandbox rate limits — Lower than production. Don't assume prod will fail the same way. Payout vs Payment — Payouts API is separate. Don't confuse sending money (Payouts) with receiving (Orders). ## Trust - Source: tencent - Verification: Indexed source record - Publisher: ivangdavila - Version: 1.0.0 ## Source health - Status: healthy - Item download looks usable. - Yavira can redirect you to the upstream package for this item. - Health scope: item - Reason: direct_download_ok - Checked at: 2026-04-29T10:21:46.017Z - Expires at: 2026-05-06T10:21:46.017Z - Recommended action: Download for OpenClaw ## Links - [Detail page](https://openagent3.xyz/skills/paypal) - [Send to Agent page](https://openagent3.xyz/skills/paypal/agent) - [JSON manifest](https://openagent3.xyz/skills/paypal/agent.json) - [Markdown brief](https://openagent3.xyz/skills/paypal/agent.md) - [Download page](https://openagent3.xyz/downloads/paypal)