← Back to Skills Marketplace
d9m1n1c

Card Management

by D9m1n1c · GitHub ↗ · v1.0.1 · MIT-0
cross-platform ⚠ suspicious
306
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install aiotnetwork-card-management
Description
Create and manage virtual cards via MasterPay Global. Supports single-use cards for one-time purchases and multi-use cards for repeated use.
README (SKILL.md)

Card Management

Use this skill when the user needs to create virtual cards, view card details, or manage card lifecycle (lock, unlock, cancel).

Configuration

The default API base URL is https://payment-api-dev.aiotnetwork.io. All endpoints are relative to this URL.

To override (e.g. for local development):

export AIOT_API_BASE_URL="http://localhost:8080"

If AIOT_API_BASE_URL is not set, use https://payment-api-dev.aiotnetwork.io as the base for all requests.

Available Tools

  • list_card_wallets — List all MasterPay card wallets and balances (required before card creation) | GET /api/v1/masterpay/wallets | Requires auth
  • create_single_use_card — Create a single-use virtual card for a one-time purchase | POST /api/v1/masterpay/cards/single-use | Requires auth
  • create_multi_use_card — Create a multi-use virtual card for repeated purchases | POST /api/v1/masterpay/cards/multi-use | Requires auth
  • list_cards — List all cards in a wallet (defaults to first wallet) | GET /api/v1/masterpay/wallets/cards | Requires auth
  • list_cards_by_wallet — List cards for a specific wallet UUID | GET /api/v1/masterpay/wallets/:wallet_uuid/cards | Requires auth
  • get_card — Get details of a specific card by UUID (includes card ATM PIN, no transaction PIN required) | GET /api/v1/masterpay/cards/:id | Requires auth
  • get_card_details — Get full unmasked card number, CVV, and expiry (sensitive) | POST /api/v1/masterpay/cards/:id/details | Requires auth | Requires transaction PIN
  • get_card_types — Get available card types and their properties | GET /api/v1/masterpay/cards/types | Requires auth
  • lock_card — Lock (block) a card to prevent transactions | POST /api/v1/masterpay/cards/:id/lock | Requires auth | Requires transaction PIN
  • unlock_card — Unlock (reactivate) a previously locked card | POST /api/v1/masterpay/cards/:id/unlock | Requires auth | Requires transaction PIN
  • cancel_card — Permanently cancel (suspend) a card | POST /api/v1/masterpay/cards/:id/cancel | Requires auth | Requires transaction PIN
  • list_applied_cards — List all card applications and their status | GET /api/v1/cards | Requires auth
  • get_applied_card — Get details of a specific card application | GET /api/v1/cards/:id | Requires auth
  • apply_card — Apply for a new payment card (physical or virtual) | POST /api/v1/cards/apply | Requires auth

Recommended Flows

Create a Virtual Card (MasterPay)

Create a single-use or multi-use virtual card via MasterPay

  1. Check KYC status: GET /api/v1/masterpay/kyc/status — must be 'approved' (use get_kyc_status from kyc-identity skill)
  2. List wallets: GET /api/v1/masterpay/wallets — verify at least one wallet exists (no wallets means KYC is not yet approved)
  3. Submit wallet KYC: POST /api/v1/masterpay/wallets/kyc — required before card creation. Needs profile phone number and id_number set via PUT /profile/document (id_number is sent as orgCode to MasterPay)
  4. Create card: POST /api/v1/masterpay/cards/single-use or /multi-use — returns masked PAN and card ATM PIN
  5. Get full details: POST /api/v1/masterpay/cards/:id/details (requires transaction PIN) — returns full card number and CVV

Apply for a Card

Apply for a new physical or virtual card via the card application flow

  1. Get card types: GET /api/v1/masterpay/cards/types — see available types (silver, gold, titanium, hybrid_metal, digital_virtual, digital_virtual_2)
  2. Apply: POST /api/v1/cards/apply with {card_type, delivery_method, full_name, phone_number, email, address?}
  3. Track: GET /api/v1/cards/:id — check application status

Rules

  • KYC must be approved AND wallet KYC must be submitted (POST /masterpay/wallets/kyc) before creating any MasterPay card — card creation fails with NO_WALLETS if KYC is not complete, and MasterPay rejects cards if wallet KYC is missing
  • MasterPay card responses include a masked PAN and the card ATM PIN — use /cards/:id/details with transaction PIN for the full card number and CVV
  • The card ATM PIN (visible in get_card, list_cards, and card creation responses) is for ATM/POS use — it is different from the transaction PIN used for sensitive operations
  • Lock/unlock/cancel operations require transaction PIN verification
  • Cancelled cards cannot be reactivated — cancellation is permanent
  • Card application (POST /cards/apply) requires card_type (silver/gold/titanium/hybrid_metal/digital_virtual/digital_virtual_2) and delivery_method (delivery/on_the_spot)
  • Card application (/cards/apply) is for ordering new cards — use /masterpay/cards/single-use or /multi-use for instant virtual card creation

Agent Guidance

Follow these instructions when executing this skill:

  • Always follow the documented flow order. Do not skip steps.

  • If a tool requires authentication, verify the session has a valid bearer token before calling it.

  • If a tool requires a transaction PIN, ask the user for it fresh each time. Never cache or log PINs.

  • Never expose, log, or persist secrets (passwords, tokens, full card numbers, CVVs).

  • If the user requests an operation outside this skill's scope, decline and suggest the appropriate skill.

  • If a step fails, check the error and follow the recovery guidance below before retrying.

  • The full prerequisite chain is: KYC approved → wallet exists → wallet KYC submitted → card creation. Use get_kyc_status from the kyc-identity skill to verify KYC approval, then list_card_wallets to confirm a wallet exists. If no wallets exist, KYC is not yet approved. Then submit wallet KYC (POST /masterpay/wallets/kyc) before creating any card — MasterPay rejects card creation without wallet KYC.

  • MasterPay card responses (creation, get_card, list_cards) include the card ATM PIN in the response — no transaction PIN is needed to see it.

  • To get the full unmasked card number and CVV, call get_card_details with the user's transaction PIN. This is the only way to retrieve the full PAN and CVV.

  • The card ATM PIN (for ATM/POS use) is different from the transaction PIN (the user's security PIN for sensitive operations like viewing full card details, locking, unlocking, or cancelling).

  • Lock, unlock, and cancel operations all require the transaction PIN.

  • Cancelled cards cannot be reactivated. Confirm with the user before cancelling.

Usage Guidance
This skill appears to implement MasterPay card-management flows, but there are some missing integration details you should confirm before installing: - Authentication: The skill demands a valid bearer token for every API call but does not declare how to obtain or store that token (no API_KEY, CLIENT_ID/SECRET, or auth flow described). Ask the publisher how the agent is expected to authenticate (platform-managed session, OAuth flow, API key via another env var, etc.). - PrimaryEnv misuse: AIOT_API_BASE_URL is listed as the "primary credential" but is just a URL — make sure no secret was accidentally omitted. - Sensitive operations: The skill can return full card numbers, CVVs, and ATM PINs. Ensure you trust the skill/agent runtime and that logs, transcripts, and backups will not persist those values. Follow the SKILL.md guidance to require the transaction PIN interactively and never cache it. - External dependency: SKILL.md calls get_kyc_status from a kyc-identity skill but doesn’t declare that dependency. Verify that your agent has that skill available and that cross-skill calls are secure. If the publisher can show how authentication is performed (and add explicit required env vars for tokens/keys or confirm platform-managed auth) and document any cross-skill dependencies, this assessment could be upgraded to benign. As-is, treat it as suspicious and verify these gaps before granting access or entering transaction PINs.
Capability Analysis
Type: OpenClaw Skill Name: aiotnetwork-card-management Version: 1.0.1 The skill bundle provides tools for managing virtual cards via the MasterPay Global API (payment-api-dev.aiotnetwork.io). It includes standard card lifecycle operations such as creation, locking, and cancellation, and explicitly instructs the AI agent to handle sensitive data like transaction PINs and CVVs securely without caching or logging. The behavior is consistent with the stated purpose of card management and includes defensive guidance for the agent.
Capability Assessment
Purpose & Capability
The name and description match the documented API endpoints and operations (create/list/lock/unlock/cancel cards). Requiring an API base URL is expected. However, marking the API base URL as the "primary credential" is odd (a URL is not a secret credential) and the skill does not declare how bearer tokens or other auth are obtained, which is a proportionality/integration mismatch.
Instruction Scope
The SKILL.md stays focused on card management flows and explicitly calls out KYC checks, wallet KYC, transaction PIN usage, and sensitive-handling rules. It references another skill (kyc-identity:get_kyc_status) for KYC verification but does not declare that dependency. Instructions require verifying bearer tokens before calls but give no guidance for obtaining those tokens—this is an ambiguity that could lead to unexpected agent behavior.
Install Mechanism
Instruction-only skill with no install spec or code files; nothing is written to disk and there are no third-party installs. Low installation risk.
Credentials
Only AIOT_API_BASE_URL is declared as a required env var; yet every endpoint is marked "Requires auth" and several operations require a transaction PIN. The skill does not declare any auth token, API key, or secret environment variables nor explain how bearer tokens or transaction PIN verification are handled. Declaring a URL as the primary credential is disproportionate and unclear.
Persistence & Privilege
The skill is not force-installed (always: false) and does not request persistent system privileges. It explicitly instructs not to cache transaction PINs and to avoid logging secrets, which is appropriate.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install aiotnetwork-card-management
  3. After installation, invoke the skill by name or use /aiotnetwork-card-management
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- Added configuration options for overriding the default API base URL via the AIOT_API_BASE_URL environment variable. - Clarified the full prerequisite chain for card creation: KYC approval, wallet existence, and wallet KYC submission are now mandatory before creating any MasterPay card. - Updated the card creation flow to include the required wallet KYC submission step. - Improved documentation on agent flow and error handling, emphasizing that MasterPay rejects card creation if wallet KYC is missing. - No changes to endpoints or tool definitions; documentation and operational guidance only.
v1.0.0
Initial release of Card Management skill for MasterPay Global. - Enables creation and management of virtual cards (single-use and multi-use). - Supports viewing card details, including masked and full card information (with transaction PIN). - Provides tools for locking, unlocking, and cancelling cards. - Allows application for new physical or virtual payment cards and tracking of their status. - Enforces KYC approval prior to card creation and sensitive actions. - Clearly distinguishes between card ATM PIN (for ATM/POS) and transaction PIN (for secure operations).
Metadata
Slug aiotnetwork-card-management
Version 1.0.1
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is Card Management?

Create and manage virtual cards via MasterPay Global. Supports single-use cards for one-time purchases and multi-use cards for repeated use. It is an AI Agent Skill for Claude Code / OpenClaw, with 306 downloads so far.

How do I install Card Management?

Run "/install aiotnetwork-card-management" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Card Management free?

Yes, Card Management is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Card Management support?

Card Management is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Card Management?

It is built and maintained by D9m1n1c (@d9m1n1c); the current version is v1.0.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments