← Back to Skills Marketplace
664
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install near-getpay
Description
Accept crypto payments (NEAR, USDC, USDT) via a beautiful payment page with PingPay or HOT PAY integration.
Usage Guidance
What to consider before installing:
- Secrets: Do NOT paste API keys or private keys directly into chat with an agent. Prefer adding them to the skill's .env file on your machine and keep the file local (gitignored). The SKILL.md example encourages pasting keys into chat — avoid that.
- Required binaries: The runtime spawns 'npx', 'ts-node' and an 'ssh' reverse tunnel (localhost.run). Make sure those binaries are present and that you're comfortable exposing a local port via an external tunnel.
- Sensitive keys: The skill may require PINGPAY_API_KEY and (for automated on-chain payments) NEAR account credentials/private key. Only give the minimum-permission API key and consider creating a test key or account.
- Public exposure: The start script opens a public URL to your local server. Run this only from a machine you control and consider using a paid/protected tunnel (ngrok/Cloudflare Tunnel) rather than an ephemeral ssh tunnel if you need production stability.
- Cross-skill import: The orchestrator dynamically imports '../near-intents' and calls executeIntent for swaps/bridges. If you intend to use that functionality, inspect the near-intents code (and keep private keys secure). If you don't need on-chain automation, limit configuration to PingPay/HOT PAY checkout-only flows.
- Verify claims: Inspect .env.example, server code, and PingPay/HOT PAY integration endpoints to confirm behavior matches your expectations before running. If you want to be cautious, run the server in an isolated environment (container or VM) and do an npm install offline review of dependencies.
If you want, I can: (a) point out the exact lines where secrets are read or sent, (b) show a safe workflow for running this skill without exposing secrets to chat, or (c) produce a checklist for running it in a sandbox/container.
Capability Analysis
Type: OpenClaw Skill
Name: near-getpay
Version: 1.0.0
The skill is classified as suspicious due to several security vulnerabilities and risky practices, despite its stated benign purpose of creating a crypto payment page. Key indicators include the `start-tunnel.ts` script disabling SSH host key checking (`-o StrictHostKeyChecking=no`), which makes the public tunnel vulnerable to man-in-the-middle attacks. Additionally, the `SKILL.md` and `README.md` documentation recommend generating SSH keys without a passphrase (`-N ""`) for `localhost.run` troubleshooting, which is a security weakness. Furthermore, the `server-simple.ts` file is vulnerable to self-XSS if the `RECIPIENT_ADDRESS` environment variable contains malicious HTML/JavaScript. While the `index.ts` file handles sensitive crypto transactions requiring a NEAR private key, this is for programmatic invoice *payment* (not the public payment page) and is explicitly documented, indicating a high-risk capability rather than direct malice.
Capability Assessment
Purpose & Capability
The code implements a hosted payment page, PingPay client, and an orchestrator for on-chain swaps/bridges; these align with the stated purpose. However the skill also exposes functions that call a separate 'near-intents' module to perform swaps/bridges (index.ts/payment-orchestrator), which is more than a simple static checkout page — this is plausible but broader than the minimal 'payment page' claim.
Instruction Scope
SKILL.md instructs the agent to ask users to "share" API keys in chat or add them to .env. Having the agent solicit secrets over chat is risky and not limited in the instructions. The runtime steps create a public tunnel (ssh to localhost.run) and run local code (npx/ts-node) — these are expected for exposing a page but mean a local service will be exposed externally. The skill also dynamically imports a '../near-intents' module and calls executeIntent, giving it the ability to run cross-skill/local code for on-chain actions.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but the package includes package.json and expects npm install and npx/ts-node. All dependencies come from npm (common packages). No remote downloads or obscure URLs were found. However required binaries like 'ssh' and 'npx'/'ts-node' are used but not declared in the top-level registry metadata, which is inconsistent.
Credentials
The top-level registry metadata reported 'no required env vars', but skill.json and the code expect RECIPIENT_ADDRESS, PAYMENT_PROVIDER and (in practice) PINGPAY_API_KEY and HOTPAY item IDs; index.ts and usage text also reference NEAR_ACCOUNT_ID and NEAR_PRIVATE_KEY for on-chain payments. Sensitive credentials (PingPay API key, potentially NEAR private key) are required for full functionality; these are proportionate for payment operations but the skill's metadata and SKILL.md are inconsistent about which variables are required and the SKILL.md explicitly encourages pasting keys into chat, increasing exfiltration risk.
Persistence & Privilege
The skill does not request permanent platform-wide presence (always:false) and does not modify other skills' configurations. It does import a ../near-intents module if available which could invoke other skill logic, but the skill itself does not persist beyond running the local server and tunnel.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install near-getpay - After installation, invoke the skill by name or use
/near-getpay - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of near-getpay: simple crypto payment pages with NEAR, USDC, and USDT support.
- Accept crypto payments via a hosted, mobile-friendly payment page.
- Integrates with PingPay or HOT PAY for checkout and processing.
- Allows configuration of payment tokens (NEAR, USDC, USDT) and provider selection.
- Easy onboarding with setup wizard and public link via localhost.run tunnel.
- Smart token selection and amount presets for a smooth user experience.
- Documentation includes installation, configuration, customization, troubleshooting, and sharing instructions.
Metadata
Frequently Asked Questions
What is Near Getpay - Accept crypto payments with payment page using PingPay or HOT PAY?
Accept crypto payments (NEAR, USDC, USDT) via a beautiful payment page with PingPay or HOT PAY integration. It is an AI Agent Skill for Claude Code / OpenClaw, with 664 downloads so far.
How do I install Near Getpay - Accept crypto payments with payment page using PingPay or HOT PAY?
Run "/install near-getpay" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Near Getpay - Accept crypto payments with payment page using PingPay or HOT PAY free?
Yes, Near Getpay - Accept crypto payments with payment page using PingPay or HOT PAY is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Near Getpay - Accept crypto payments with payment page using PingPay or HOT PAY support?
Near Getpay - Accept crypto payments with payment page using PingPay or HOT PAY is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Near Getpay - Accept crypto payments with payment page using PingPay or HOT PAY?
It is built and maintained by Cuong DC (@cuongdcdev); the current version is v1.0.0.
More Skills