← Back to Skills Marketplace
xClaw02
by
primer-dev
· GitHub ↗
· v0.1.0
1511
Downloads
1
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install xclaw02
Description
Make x402 payments. Pay for APIs, sell your services, handle 402 Payment Required responses with USDC on Base and other EVM chains.
Usage Guidance
This skill appears to be a real payment tool, but proceed carefully: do not paste or send your main private keys into chat or to an unverified package. Before installing or using it, verify the package source and repository (check the GitHub repo and publisher identity), inspect the package code (npm/PyPI) or request a signed release, and prefer using an ephemeral or funded-limited wallet for testing rather than your main funds. If you must provide a private key, consider using a signing service or hardware wallet rather than storing plain keys in env vars or ~/.openclaw. Confirm where the tool stores keys/config and lock file permissions. Finally, use the CLI's --dry-run and wallet balance checks first, and request the skill author/publisher details if provenance remains unclear.
Capability Analysis
Type: OpenClaw Skill
Name: xclaw02
Version: 0.1.0
The OpenClaw AgentSkills skill bundle for 'xclaw02' is classified as benign. The skill's purpose is to facilitate x402 stablecoin payments, which inherently involves handling sensitive information like private keys and performing network transactions. However, the `SKILL.md` documentation provides clear instructions for the AI agent that are directly aligned with this stated purpose, including explicit security advice such as never exposing private keys, using environment variables for credentials, and always confirming payment amounts with the user. There is no evidence of prompt injection attempting to subvert the agent's behavior, no instructions for unauthorized data exfiltration beyond the payment protocol, and no signs of malicious execution, persistence, or obfuscation.
Capability Tags
Capability Assessment
Purpose & Capability
The SKILL.md describes a legitimate purpose (making/receiving x402 payments, wallet management, probing 402 responses) and the required runtime binaries (node/npx/python3/pip) fit that purpose. However, the registry metadata declares no required environment variables or primary credential while the runtime docs explicitly reference a sensitive environment variable (XCLAW02_PRIVATE_KEY) and XCLAW02_NETWORK — this mismatch is unexplained.
Instruction Scope
The instructions tell the agent/user to create wallets, store config under ~/.openclaw/skills/xclaw02/, and to use XCLAW02_PRIVATE_KEY for signing payments. That means private keys or signing artifacts may be written to disk and read from env vars. The SKILL.md also instructs installing packages (pip install / npx) and running CLI commands that will fetch and execute remote code. Storing/handling private keys and automatically invoking installers are sensitive behaviors and should be carefully audited.
Install Mechanism
There is no install spec in the skill bundle itself (instruction-only), which is lower static risk. But the documentation expects the user/agent to run `pip install xclaw02` or `npx xclaw02`, which will pull code from package registries (npm/pypi). Because the skill package source is listed as 'unknown' and the registry header earlier said 'Homepage: none' while _meta.json embeds a homepage/repository, the provenance is ambiguous. Installing packages from registries is expected for this kind of tool but should be done only after verifying the package and repo.
Credentials
Using a private key (XCLAW02_PRIVATE_KEY) is necessary to sign payments, so requesting a private key is proportionate to the payment purpose — but the skill metadata does not declare that env var as required, which is an inconsistency. The skill also instructs saving config and keys to a home directory path, which increases the persistence and blast radius if keys are compromised. No other external credentials are requested, but the omission of the private-key requirement from the declared requirements is notable.
Persistence & Privilege
always:false and model invocation defaults are fine. The skill will persist configuration and potentially private keys under ~/.openclaw/skills/xclaw02/, which is normal for a CLI wallet but is a persistence of sensitive material. The skill does not request system-wide privileges or claim to modify other skills.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install xclaw02 - After installation, invoke the skill by name or use
/xclaw02 - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial release of xclaw02: Open payment standard for instant USDC payments using 402 Payment Required responses.
- Supports making and receiving x402 payments via CLI and code (Node.js, Python).
- Enables paying for APIs/services, handling 402 errors, creating wallets, and checking balances on Base and other EVM chains.
- Includes quick setup instructions, CLI/API usage examples, and server middleware for selling paid APIs.
- Lists supported networks, facilitators, environment variables, and common error handling.
- Emphasizes agent safety: private key security and user confirmation for payments.
Metadata
Frequently Asked Questions
What is xClaw02?
Make x402 payments. Pay for APIs, sell your services, handle 402 Payment Required responses with USDC on Base and other EVM chains. It is an AI Agent Skill for Claude Code / OpenClaw, with 1511 downloads so far.
How do I install xClaw02?
Run "/install xclaw02" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is xClaw02 free?
Yes, xClaw02 is completely free (open-source). You can download, install and use it at no cost.
Which platforms does xClaw02 support?
xClaw02 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created xClaw02?
It is built and maintained by primer-dev (@primer-dev); the current version is v0.1.0.
More Skills