ClawHub
Bundle Pluginsource linked

Snaplii A2M Paymentv1.0.1

Snaplii A2M Payment — MCP Plugin

snaplii-a2m-payment·runtime snaplii-a2m-payment·by @charleszhang-creator
openclaw bundles install clawhub:snaplii-a2m-payment
Latest release: v1.0.1Download zip

Capabilities

Bundle format
generic
Tags
bundle-onlyformat:generichost:claude
Host targets
claude
Runtime ID
snaplii-a2m-payment
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description, listed CLI tools, and .mcp.json entry are consistent with an A2M payment plugin that delegates work to the snaplii-cli MCP server. The README and SKILL.md only reference Snaplii-related artifacts (app, API key, snaplii-cli) — nothing unrelated is requested.
Instruction Scope
SKILL.md stays on topic: it instructs installing the snaplii-cli, creating an API key in the mobile app, and using the provided CLI tools. It explicitly states purchases and key operations require explicit user confirmation. The instructions do not ask the agent to read unrelated files or environment variables. Note: the instructions assume the snaplii-cli/MCP server will handle secrets as described; you should verify that behavior in the actual package.
Install Mechanism
This is an instruction-only skill with no install spec in the registry; the README directs users to pip install snaplii-cli and an MCP component and links to the PyPI and GitHub sources. That is expected for this kind of plugin, but installing third-party PyPI packages carries risk — the skill itself does not bundle or pin code to review.
Credentials
The skill declares no required environment variables or config paths. The README describes API keys created in the mobile app and claims keys are passed via hidden stdin or MCP parameters and 'never stored on disk.' That is proportionate to the plugin's purpose; however, the registry bundle does not verify or enforce that behavior, so confirm how the installed snaplii-cli actually handles keys.
Persistence & Privilege
always is false and there's no request to modify other skills or system-wide settings. The .mcp.json declares a server command but does not request permanent elevated privileges. Autonomous invocation is permitted (default) but the README instructs explicit confirmations for purchases, which reduces risk if followed.
Assessment
This skill appears coherent for making agent-driven purchases with Snaplii gift cards, but you should: 1) review the snaplii-cli PyPI package and its GitHub source before installing (look for how it stores/handles API keys and redemption codes), 2) confirm the MCP server process (snaplii-mcp) will not persist secrets or exfiltrate data, 3) verify the Snaplii app's API key scope and spending limits in the mobile app, and 4) ensure you (the user) always explicitly confirm purchases when the agent asks. Because the registry bundle is instruction-only, the real security surface is the external snaplii-cli package and Snaplii service — vet those before use.

Verification

Tier
source linked
Scope
artifact only
Summary
Validated package structure and linked the release to source metadata.
Source
github.com/Snaplii-Inc/agent-to-merchant-payments
Commit
f43beafff837
Tag
main
Provenance
No
Scan status
clean

Tags

latest
1.0.1

Snaplii A2M Payment — MCP Plugin

Agent-to-Merchant (A2M) payments — where AI agents complete transactions without checkout. Snaplii uses pre-funded gift cards as a payment rail, enabling instant, merchant-ready execution across 500+ brands.

Prerequisites

  1. Download the Snaplii App (iOS / Android)
  2. Create an API Key in the app: More → Payment Methods → AI Payment Management → + New API Key
  3. Install the MCP server: pip install snaplii-cli "mcp[cli]"PyPI package | Source code

Tools

ToolDescription
snaplii_initAuthenticate with API key (not stored)
snaplii_config_showShow auth status
snaplii_browse_tagsBrowse gift card categories (CA/US)
snaplii_browse_brandBrand details and denominations
snaplii_giftcard_listList owned gift cards
snaplii_giftcard_detailCard redemption code (sensitive)
snaplii_purchaseBuy a gift card (requires explicit user confirmation)
snaplii_apikey_listList API keys
snaplii_apikey_createCreate API key
snaplii_apikey_deleteDelete API key
snaplii_cashback_calcCalculate cashback savings
snaplii_dashboardOwned card inventory summary

Security

  • API key handling: API keys are used only to obtain a short-lived token and are never stored on disk. Keys are passed via hidden stdin input (CLI) or MCP tool parameters (plugin) — never as command-line arguments.
  • Sensitive data: Card redemption codes, PINs, and barcode URLs are treated as confidential. They are never displayed unless the user explicitly requests them.
  • Purchase authorization: All purchase, API key creation, and API key deletion operations require explicit user confirmation before execution. The agent must not execute these autonomously.
  • Spending limits: API keys are scoped with hard spending limits set in the Snaplii app. Agents can only spend from prepaid Snaplii Cash balance.