Critical-risk tools in ClawPay
7 of the 9 tools in ClawPay are classified as critical risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at critical risk
-
browse_and_buyFinancialBrowse an online store, add items to cart, and complete purchase using a Lithic virtual card. Requires Playwright installed.
-
payFinancialCreate and confirm a payment in cents.
-
refundFinancialRefund a payment intent.
-
send_paypalFinancialSend money via PayPal Payouts to an email address or phone number.
-
setup_lithicFinancialSet up Lithic virtual card API for AI shopping. Reads LITHIC_API_KEY from environment.
-
setup_paymentFinancialSet up Stripe payment method for ClawPay.
-
setup_paypalFinancialLink PayPal account using Client ID and Client Secret. Reads credentials from PAYPAL_CLIENT_ID and PAYPAL_CLIENT_SECRET environment variables or config file.
Attacks that target this class
Critical-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.