← Back to Skills Marketplace
marcopesani

bitrefill

by Marco Pesani · GitHub ↗ · v2.1.2 · MIT-0
cross-platform ⚠ suspicious
49
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install bitrefill
Description
Buy or browse Bitrefill — 1,500+ gift cards, mobile top-ups, and eSIMs across 180+ countries, payable in crypto, Lightning, USDC via x402, or pre-funded acco...
README (SKILL.md)

Bitrefill

Bitrefill sells digital goods (gift cards, mobile top-ups, eSIMs) across 180+ countries and 1,500+ brands. Pay with crypto, Lightning, USDC via x402, or pre-funded account balance. Codes deliver instantly after payment confirms.

This skill routes by capability, not by use case. Same intent ("buy a Steam card") plays out differently across hosts. Pick a path below based on what your runtime can do.

Pick a path

Walk these checks in order. First match wins.

  1. Inside OpenClaw? Check for ~/.openclaw/openclaw.json, ~/.openclaw/skills/, or openclaw on PATH. If yes → read host-openclaw.md first. OpenClaw is a superset host: it can run all four paths plus chat-channel scenarios (Telegram purchase, cron top-up, mobile camera). After setup, return here and pick MCP/CLI/API for the actual task.

  2. Browse-only intent (no purchase)? If the user only wants to explore, compare prices, or learn how products work:

    • Have a residential-IP browser (ChatGPT Atlas, Cursor browser tool, Claude/Playwright Chrome extension, OpenClaw on user host)? → browse.md.
    • Datacenter egress only (ChatGPT web/Agent, Gemini consumer, Jules)? www.bitrefill.com returns 403 Cloudflare to datacenter IPs. Use mcp.md search-products / product-details instead — they return the same catalog without scraping.

  3. MCP supported? Bitrefill ships a remote HTTP/SSE MCP at https://api.bitrefill.com/mcp. Works on Claude.ai (Pro+), Cowork, Claude Desktop, Claude Code, ChatGPT (Plus+), Atlas, Codex CLI, Gemini CLI, Cursor, OpenCode, OpenClaw. Highest-fidelity purchase channel — typed tool calls, OAuth or API key, no shell needed.mcp.md.

  4. Shell + npm install available? Claude Code, Codex CLI, Cursor, Gemini CLI, OpenCode, OpenClaw, Jules (ephemeral VM), ChatGPT Agent (sandbox). → cli.md.

  5. Outbound HTTP from agent loop? Anywhere shell exists, plus Claude Code WebFetch. Last resort — verbose, no typed validation. → api.md.

  6. None of the above (e.g. Gemini consumer free tier): give the user a bitrefill.com link and stop.

Don't know which host you're in? Read capability-matrix.md — per-client cheat sheet maps every leading agent product to its viable paths.

Top spending safeguards (read full list before any purchase)

This skill enables real-money transactions. Codes deliver instantly and digital goods are non-refundable per EU consumer rights.

  • Confirm before buying. Present product, denomination, price, payment method. Wait for explicit user approval. Autonomous purchasing only when user opts in for the current session.
  • Treat codes as cash. Never paste in group chats or public channels. Prefer in-memory storage over plain-text logs. Advise user to redeem ASAP.
  • Use a dedicated, low-balance account. Never give the agent access to high-balance accounts or crypto wallet seeds. This skill is not a wallet.
  • Log every purchase. invoice_id, product, amount, payment method.

Full safeguards + per-host hardening (OpenClaw exec-approvals, Cursor auto-approve, Codex sandbox, Claude Code allowlist) → safeguards.md.

References

File Use when
browse.md Agent has residential-IP browser; user wants to explore
mcp.md MCP-capable host; preferred purchase path
cli.md Shell + npm available; headless scripting
api.md HTTP-only runtime; Personal / Business / Affiliate REST tiers
host-openclaw.md Running inside OpenClaw Gateway
capability-matrix.md Per-client viable paths cheat sheet
safeguards.md Spending policy + per-host hardening
troubleshooting.md Common errors across all paths

Source of truth

Skill summarizes and routes. For exhaustive enums (countries, payment methods, full endpoint list), follow link-outs to \x3Chttps://docs.bitrefill.com>.

Usage Guidance
This skill appears to implement a legitimate Bitrefill integration, but there are important mismatches you should address before installing: (1) The manifest claims no required env vars or config paths, yet the runtime docs require BITREFILL_API_KEY (and optionally API ID/SECRET) and access to OpenClaw config files — treat these as sensitive. (2) The skill instructs installing a global npm CLI and writing API keys to host config (~/.openclaw/.env, ~/.config/bitrefill-cli/credentials.json). Only proceed if you trust the skill source; the registry shows 'source: unknown' so verify the repository and release channel (the docs point to https://github.com/bitrefill/cli and https://www.bitrefill.com). (3) If you run this on OpenClaw or any host that can perform purchases, enforce the recommended hardening: deny auto-approve for buy-products, require operator confirmation for buys, isolate the skill's agent so it cannot rewrite gateway config, restrict channel delivery of codes, and keep any agent-funded account balance very low. (4) Ask the publisher to update the skill manifest to explicitly declare required environment variables and config paths (BITREFILL_API_KEY, optional BITREFILL_API_ID/SECRET, any channel tokens) so the permission surface is visible up-front. (5) Prefer MCP path with minimal stored credentials and avoid installing the CLI globally on critical hosts; if you must, install it in a controlled sandbox. If you want, request the skill publisher or maintainer provenance (signed release, official npm/org ownership) — that would increase confidence.
Capability Analysis
Type: OpenClaw Skill Name: bitrefill Version: 2.1.2 The Bitrefill skill bundle enables autonomous financial transactions for gift cards and eSIMs, requiring high-risk capabilities such as shell execution (`npm install` in cli.md), outbound network access to api.bitrefill.com, and modification of host configuration files (~/.openclaw/openclaw.json in host-openclaw.md). While these actions are aligned with the stated purpose and the documentation includes extensive safety guidelines and spending safeguards in safeguards.md, the combination of autonomous payments and broad environment access (shell, network, and filesystem) meets the threshold for a suspicious classification under the provided criteria.
Capability Tags
cryptorequires-walletcan-make-purchasesrequires-oauth-tokenrequires-sensitive-credentials
Capability Assessment
Purpose & Capability
Name and description match a Bitrefill buying/browsing integration and the SKILL.md workflows (browse, MCP, CLI, API) are coherent for that purpose. However, the registry metadata lists no required environment variables or config paths while the instructions repeatedly reference BITREFILL_API_KEY, API ID/SECRET, and OpenClaw files (e.g. ~/.openclaw/openclaw.json, ~/.openclaw/.env, ~/.config/bitrefill-cli/credentials.json). That omission in the declared requirements is an incoherence — a legitimate Bitrefill skill should advertise the credential(s) and config paths it needs.
Instruction Scope
SKILL.md and supporting docs instruct the agent to read and write host files (OpenClaw config, credentials file), to perform global installs (npm install -g @bitrefill/cli), and to set MCP entries and env vars in host config. Those actions are within the claimed functionality for an integration that can perform purchases, but they grant the skill the ability to modify gateway configuration and write credentials to disk. The instructions also call for polling, webhook use, and optional delivery of codes — all expected — but the skill's manifest did not declare these filesystem/config operations or credential needs, which widens the real runtime surface beyond what's advertised.
Install Mechanism
No installer spec is included (instruction-only), which reduces some supply-chain risk. However, the docs explicitly recommend global npm installs and cloning the GitHub repo as part of the CLI path; those are host-side operations that will write to disk and modify the environment. This is a normal fallback for a CLI integration but still requires trust in the upstream package/source (the SKILL.md points to https://github.com/bitrefill/cli and https://www.bitrefill.com).
Credentials
The declared manifest lists no required env vars, yet the instructions reference BITREFILL_API_KEY, BITREFILL_API_ID/SECRET (Business/Affiliate), TELEGRAM_BOT_TOKEN (channel setup examples), and guidance to write the API key into ~/.openclaw/.env. Asking for those credentials would be proportionate to the purchase capability, but failing to declare them in the skill metadata is a mismatch that hides the scope of secrets needed. Because the skill can accept multiple auth modes (personal bearer token, basic API ID/SECRET) and may be told to store them in host config, users should treat this as requiring sensitive credentials.
Persistence & Privilege
always:false (good), and autonomous invocation is allowed by default (expected). The SKILL.md and host-openclaw.md explicitly instruct installing the skill into OpenClaw (copy to ~/.openclaw/skills/bitrefill), merging MCP entries, and writing env vars — i.e., persistent host-level changes. Those capabilities are coherent for a host integration but are privileged: they let the skill add MCP endpoints, modify gateway config, and enable automatic purchases if approvals are relaxed. Combined with the undeclared credential requirements, this raises a meaningful persistence/privilege risk unless the host hardening controls described in the docs are enforced.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install bitrefill
  3. After installation, invoke the skill by name or use /bitrefill
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.1.2
Version 1.0.0 of Bitrefill skill - Initial release supporting browsing and purchasing Bitrefill gift cards, mobile top-ups, and eSIMs in 180+ countries. - Adaptive channel routing: automatically chooses the highest-fidelity integration (browser, MCP, CLI, API) based on host environment. - Supports crypto, Lightning, USDC via x402, and pre-funded balance payments. - Safety and spending safeguard instructions included; warns before any transaction. - Reference guides provided for all technical paths and environments, including special OpenClaw integration. - Thorough compatibility instructions for common agent/AI platforms.
Metadata
Slug bitrefill
Version 2.1.2
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is bitrefill?

Buy or browse Bitrefill — 1,500+ gift cards, mobile top-ups, and eSIMs across 180+ countries, payable in crypto, Lightning, USDC via x402, or pre-funded acco... It is an AI Agent Skill for Claude Code / OpenClaw, with 49 downloads so far.

How do I install bitrefill?

Run "/install bitrefill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is bitrefill free?

Yes, bitrefill is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does bitrefill support?

bitrefill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created bitrefill?

It is built and maintained by Marco Pesani (@marcopesani); the current version is v2.1.2.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments