Manage Whop digital products store — create products, plans, track payments, manage memberships. Use when: selling digital products, managing Whop store. Don...
Security Analysis
high confidenceThe skill's requirements and instructions line up with its stated purpose (managing a Whop store); it asks only for the expected Whop API credentials and recommends installing the official Whop SDK via npm.
Name/description, declared env vars (WHOP_API_KEY, WHOP_COMPANY_ID), and the SKILL.md usage examples all target Whop's API and SDK. There are no unrelated credentials, binaries, or functionality requested.
SKILL.md only instructs installing the Whop SDK, exporting the Whop API key and company ID, and calling the SDK methods (products, plans, payments, memberships, etc.). It does not direct the agent to read arbitrary host files, other environment variables, or send data to unexpected external endpoints.
The SKILL.md recommends running 'npm install -g @whop/sdk'. Installing from the public npm registry is a normal choice for a JavaScript SDK, but global npm installs run package install scripts and require elevated permissions on some systems. This is a moderate-risk action in general; consider reviewing the @whop/sdk package on the npm registry and using a local or project-scoped install instead of -g if you prefer less blast radius.
Only two environment variables are required and both are directly relevant to working with Whop (API key and company ID). No other secrets or unrelated environment access is requested.
The skill is not always-included and does not request system-wide configuration changes. It is instruction-only and does not attempt to modify other skills or global agent settings.
Guidance
This skill appears coherent for managing a Whop store. Before installing: 1) Review the @whop/sdk package on npm (read its README, recent versions, and maintainers) because npm installs execute package scripts; prefer a local/project install over global if you want less system impact. 2) Only provide a Whop API key with the least privileges needed and rotate it if possible. 3) Avoid pasting the API key into public places or sharing it; set it in a secure environment store. 4) If you run the npm -g command, avoid using sudo where possible or audit what it will change. 5) If you need stronger assurance, request the skill author/public homepage or source repository to verify provenance and inspect the SDK code.
Latest Release
v1.0.0
Initial release of whop-cli. - Manage Whop digital products store via API: create products and pricing plans, track payments, and manage memberships. - Easy setup with environment variables for API authentication. - Usage examples included for product and plan creation, payment tracking, and membership management. - Supports multiple resources: products, plans, payments, memberships, files, webhooks, and more. - Requires Whop SDK installation and configuration of API key and company ID.
More by @G9Pedro
Published by @G9Pedro on ClawHub
