← Back to Skills Marketplace
clawallex-tech

Clawallex

by Clawallex · GitHub ↗ · v1.0.4 · MIT-0
cross-platform ✓ Security Clean
174
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install clawallex
Description
Pay for anything with USDC — virtual cards for any online checkout
README (SKILL.md)

Clawallex

Pay for anything with USDC. Clawallex converts your stablecoin balance into virtual cards that work at any online checkout.

Features

  • Flash Cards — one-time use virtual cards for single payments
  • Stream Cards — reloadable cards for subscriptions, top up with refill
  • Mode A — pay from your USDC wallet balance
  • Mode B — on-chain x402 payment for callers with self-custody wallets (agent or user) — signing is performed by the caller
  • Zero dependencies — Python 3.9+ stdlib only

Quick Start

1. Set Up Account

New user — browser signup (recommended):

python3 {baseDir}/scripts/clawallex.py signup

Returns a URL and token. Show the URL to the user, ask them to open it and click Authorize. The command polls automatically. If polling fails, retry with the token:

python3 {baseDir}/scripts/clawallex.py signup-check --token \x3Ctoken>

Existing user — connect with API keys:

Get your API Key and Secret at app.clawallex.com/dashboard/settings, then run:

python3 {baseDir}/scripts/clawallex.py setup --action connect --api-key YOUR_KEY --api-secret YOUR_SECRET

2. Verify

python3 {baseDir}/scripts/clawallex.py wallet          # check balance
python3 {baseDir}/scripts/clawallex.py cards            # list cards

Hard Rules

  1. Setup first — Run setup --action status before any payment. If not configured: use signup for new accounts, or setup --action connect if the user already has API keys.
  2. Check balance first — Run wallet before pay or subscribe to verify sufficient funds (Mode A only).
  3. Never expose card secrets — Decrypted PAN/CVV are STRICTLY for filling checkout forms. NEVER display to the user. Show only masked_pan from card-details.
  4. Confirm before paying — Echo amount and description back to user before creating a card.
  5. One command at a time — Run each command, check output, then proceed.

Typical Flows

Payment Flow (Mode A — Wallet Balance)

1. setup --action status                                    → check config
2. wallet                                                   → check balance
3. pay --amount 50 --description "OpenAI"                   → create flash card
4. card-details --card-id \x3CID from step 3>                  → get encrypted card data
5. Decrypt PAN/CVV (HKDF + AES-256-GCM)                    → use ONLY for checkout form

Subscription Flow

1. wallet                                                   → check balance
2. subscribe --amount 100 --description "AWS billing"       → create stream card
3. card-details --card-id \x3CID from step 2>                  → get card for sign-up form
4. refill --card-id \x3CID> --amount 50                        → top up when balance is low

Command Reference

All commands:

python3 {baseDir}/scripts/clawallex.py \x3Ccommand> [args]

Setup & Identity

User Intent Command
Quick signup — browser-based new account creation (recommended for first-time setup) signup
Check signup result with existing token signup-check --token TOKEN
Connect account setup --action connect --api-key KEY --api-secret SECRET
Check config status setup --action status
Get sign-up link setup --action register
Check API Key binding whoami
Bind client_id bootstrap or bootstrap --preferred-client-id MY_ID

Payments

User Intent Command
Pay for something pay --amount N --description "X"
Pay with custom expiry pay --amount N --description "X" --ttl SECONDS — flash card only; default 86400 (24 h)
Start subscription subscribe --amount N --description "X"
Top up card refill --card-id CID --amount N

Wallet & Cards

User Intent Command
Check balance wallet
Deposit funds recharge-addresses --wallet-id WID
List cards cards — returns mode_code (100=Mode A, 200=Mode B) to determine refill path
Check card balance card-balance --card-id CID
Batch check balances batch-balances --card-ids CID1,CID2 — multiple cards in one call
Update card controls update-card --card-id CID --client-request-id UUID [--tx-limit] [--allowed-mcc] [--blocked-mcc]
Get card details card-details --card-id CID — returns masked_pan, expiry, balance, first_name, last_name, tx_limit, allowed_mcc, blocked_mcc, encrypted PAN/CVV
View transactions transactions

Advanced (x402 On-Chain)

User Intent Command
Get x402 payee address x402-address --chain ETH --token USDC — MUST call before Mode B Refill

Setup Flow

When the user wants to use Clawallex for the first time:

  1. Run setup --action status to check current configuration.
  2. If not configured, ask: "Do you have a Clawallex account?"
    • Yes, have API keys: Ask for API Key and Secret, then run: 
      setup --action connect --api-key KEY --api-secret SECRET
      This automatically verifies credentials, binds client_id, and saves locally.
    • No account yet: Run the browser signup flow: 
      signup
      This generates a URL and a token — show the URL to the user and ask them to open it and click Authorize. The command polls automatically. If polling fails or times out, use the token to retry manually: 
      signup-check --token \x3Ctoken from signup output>
  3. Verify with wallet to confirm connection works.

Signup result statuses — all returned as success: true:

  • pending — user hasn't authorized yet, call signup-check again
  • ok — credentials saved, ready to use
  • cancelled — user cancelled, ask if they want to try again
  • already_exists — account already has API keys, switch to setup --action connect

Mode B Flow (x402 On-Chain, Two-Stage)

Mode B is for callers with self-custody wallets (agent or user) (DeFi bots, autonomous purchasing agents). The agent signs on-chain transactions using its own signing system — no human intervention needed.

Stage 1 — Quote:

pay --amount 200 --description "GPU rental" --mode-code 200 --chain-code ETH --token-code USDC

The 402 response is EXPECTED — it is a quote, NOT an error. Returns:

  • client_request_id, payee_address, asset_address, x402_reference_id
  • final_card_amount, issue_fee_amount, fx_fee_amount, fee_amount, payable_amount

Fee structure:

  • flash card: fee_amount = issue_fee_amount + fx_fee_amount
  • stream card: fee_amount = issue_fee_amount + monthly_fee_amount + fx_fee_amount

Agent signs — construct and sign an EIP-3009 transferWithAuthorization using your own wallet/signing library and the quote details. Only the resulting signature and your wallet address are needed for Stage 2. EIP-3009 enables gasless USDC transfers via off-chain signatures. The authorization fields map to:

  • from: your wallet address (the payer)
  • to: payee_address from Stage 1 (system receiving address)
  • value: maxAmountRequired (payable_amount in token minimal units, USDC = 6 decimals)
  • validAfter / validBefore: unix timestamps (seconds) defining the signature validity window
  • nonce: random 32-byte hex, must be unique per authorization

Stage 2 — Settle (MUST use same client_request_id):

pay --amount 200 --description "GPU rental" \
  --mode-code 200 \
  --client-request-id "uuid-from-stage-1" \
  --x402-version 1 \
  --payment-payload '{
    "scheme": "exact",
    "network": "ETH",
    "payload": {
      "signature": "0x\x3Cagent EIP-3009 signature>",
      "authorization": {
        "from": "0x\x3Cagent wallet address>",
        "to": "\x3Cpayee_address from stage 1>",
        "value": "\x3CmaxAmountRequired, e.g. 207590000>",
        "validAfter": "\x3Cunix timestamp seconds>",
        "validBefore": "\x3Cunix timestamp seconds>",
        "nonce": "0x\x3Crandom 32-byte hex>"
      }
    }
  }' \
  --payment-requirements '{
    "scheme": "exact",
    "network": "ETH",
    "asset": "\x3Casset_address from stage 1>",
    "payTo": "\x3Cpayee_address from stage 1>",
    "maxAmountRequired": "\x3Cpayable_amount × 10^6, e.g. 207590000>",
    "extra": {
      "referenceId": "\x3Cx402_reference_id from stage 1>"
    }
  }' \
  --extra '{"card_amount": "200.0000", "paid_amount": "\x3Cpayable_amount, e.g. 207.5900>"}'

Stage 2 constraints:

  • --client-request-id MUST be identical to Stage 1 — a different value creates a NEW order
  • payment_requirements.payTo MUST equal payee_address from Stage 1
  • payment_requirements.asset MUST equal asset_address from Stage 1
  • payment_requirements.maxAmountRequired MUST equal payable_amount × 10^decimals (USDC = 6 decimals)
  • payment_requirements.extra.referenceId MUST equal x402_reference_id from Stage 1
  • extra.card_amount MUST equal the --amount
  • extra.paid_amount MUST equal payable_amount from Stage 1 (amount + fee_amount)
  • payment_payload.network MUST equal payment_requirements.network
  • payload.authorization.to MUST equal payment_requirements.payTo
  • payload.authorization.value MUST equal payment_requirements.maxAmountRequired
  • Server will force-inject extra.mode=STANDARD — any client-provided value is ignored
  • If settle is rejected, order stays pending_payment — fix params and retry with same client_request_id

Mode B Refill Flow (no 402 challenge)

Mode B refill goes directly to x402 settle — no 402 challenge stage. Caller signs the EIP-3009 authorization independently using their own wallet/signing library; only the resulting signature and wallet address are submitted. Must call x402-address first to get payee_address.

1. x402-address --chain ETH --token USDC                    → get payee_address
2. refill --card-id c_123 --amount 50 \
     --x402-reference-id "\x3Cunique reference id>" \
     --x402-version 1 \
     --payment-payload '{
       "scheme": "exact",
       "network": "ETH",
       "payload": {
         "signature": "0x\x3CEIP-3009 signature>",
         "authorization": {
           "from": "0x\x3Cagent wallet>",
           "to": "\x3Cpayee_address from step 1>",
           "value": "\x3Camount × 10^6>",
           "validAfter": "\x3Cunix seconds>",
           "validBefore": "\x3Cunix seconds>",
           "nonce": "0x\x3Crandom 32-byte hex>"
         }
       }
     }' \
     --payment-requirements '{
       "scheme": "exact",
       "network": "ETH",
       "asset": "\x3Casset contract address>",
       "payTo": "\x3Cpayee_address from step 1>",
       "maxAmountRequired": "\x3Camount × 10^6>",
       "extra": { "referenceId": "\x3Cx402_reference_id>" }
     }'

Mode B refill idempotency key is x402_reference_id (not client_request_id). Check cards mode_code to determine which refill path the card uses.

How to Talk to the User

During setup

  • "I need your Clawallex API Key and Secret to get started. You can find them at app.clawallex.com/dashboard/settings."
  • If no account: "No problem — I can get you a sign-up link."
  • After connect: "You're all set! Want to check your balance?"

During payments

  • Always confirm: "I'll create a $50 card for OpenAI API credits, deducted from your wallet balance. Go ahead?"
  • After card creation: "Card created! Let me get the card details for checkout."
  • Never show PAN/CVV in conversation. Show only masked_pan if asked.

On errors

  • Don't blame the user. Be actionable: "Your wallet balance is $20 but this needs $50. You can deposit more USDC or try a smaller amount."
  • 402 response (Mode B): This is expected — explain it's the first step of a two-stage payment, not an error.

Decrypting Card Sensitive Data

card-details returns encrypted_sensitive_data with encrypted PAN/CVV:

  1. Derive key: HKDF-SHA256(ikm=api_secret, salt=empty, info="clawallex/card-sensitive-data/v1", length=32)
  2. Decode: nonce = base64_decode(nonce), raw = base64_decode(ciphertext)
  3. Split: encrypted_data = raw[:-16], auth_tag = raw[-16:]
  4. Decrypt: AES-256-GCM(key, nonce, encrypted_data, auth_tag) → JSON
  5. Result: {"pan": "4111111111111111", "cvv": "123"}

Error Recovery

Error Cause Action
"not configured" No credentials saved Run setup --action connect with valid credentials
"Invalid credentials" Wrong API Key/Secret Check at app.clawallex.com/dashboard/settings
Insufficient balance Wallet balance too low Run recharge-addresses for deposit info, or use Mode B
402 response Mode B Stage 1 (expected) This is the quote — proceed to Stage 2 with same client_request_id
Settle rejected (Mode B) Invalid x402 params Order stays pending_payment — fix params and retry with same client_request_id
Card not found Wrong card_id Run cards to list valid card IDs
Decryption failed Bad data or apiSecret changed Re-fetch via card-details, verify credentials

Output Format

All commands return JSON:

  • success: true → data in data field, next steps in _hint
  • success: false → error message in error field

Key Concepts

  • Flash card: Created by pay. Single-use, auto-destroyed after one transaction. Cannot be refilled.
  • Stream card: Created by subscribe. Reloadable, top up with refill.
  • Wallet: Your USDC balance. Funds all Mode A operations.
  • Mode A (mode_code=100): Wallet balance deduction (default).
  • Mode B (mode_code=200): x402 on-chain USDC payment for callers with self-custody wallets (agent or user). Two-stage (quote → sign → settle). Agent signs EIP-3009 independently; only the signature and wallet address are passed to Stage 2.
  • client_id: The agent's stable identity, separate from the API Key. An agent can have multiple API Keys (for rotation/revocation), but client_id never changes. Cards and transactions are isolated per client_id. When switching to a new API Key, keep using the same client_id — the new key auto-binds on first request. Once bound, it cannot be changed (TOFU). Stored locally at ~/.clawallex/credentials.json.
Usage Guidance
This skill appears to be a coherent CLI client for a virtual-card service, but it comes from an unknown publisher and handles extremely sensitive card data. Before installing or running: 1) review the included scripts yourself (they will be executed with python3); 2) only provide API keys if you trust the service and review how and where credentials are stored (~/.clawallex/credentials.json); 3) be careful with any operation that decrypts PAN/CVV — the SKILL.md forbids displaying decrypted card secrets, but verify the agent actually follows that rule; 4) if you are unsure, test in an isolated environment (VM or disposable account) and prefer the browser signup flow rather than pasting long-term API secrets; 5) note the minor metadata inconsistency (SKILL.md requires python3 while registry declared none).
Capability Analysis
Type: OpenClaw Skill Name: clawallex Version: 1.0.4 The skill bundle provides a CLI and agent instructions for managing USDC virtual cards via the Clawallex service. It follows security best practices, including HMAC-SHA256 for API request signing, AES-256-GCM for sensitive data encryption, and restricted file permissions (0600) for local credential storage in `~/.clawallex/`. The instructions in `SKILL.md` explicitly direct the AI agent to protect sensitive card data (PAN/CVV) and never display it to the user. The code in `scripts/clawallex.py` uses only Python standard libraries and lacks any indicators of malicious intent, such as unauthorized data exfiltration or shell execution.
Capability Assessment
Purpose & Capability
Name/description (USDC virtual cards) match the included CLI implementation: network calls target clawallex API endpoints, CLI supports signup/connect/pay/wallet/cards/etc. No unrelated services, binaries, or env vars are requested.
Instruction Scope
SKILL.md tells the agent to run the included Python CLI, perform signup or accept API keys, poll for authorization, and (when needed) decrypt PAN/CVV with HKDF + AES-256-GCM. Those actions align with a payment client, but decrypting card PAN/CVV is handling highly sensitive data; the instructions forbid displaying decrypted secrets but leave room for agent error. The SKILL.md also requires python3 in its metadata, while registry-level 'required binaries' was empty — a small inconsistency.
Install Mechanism
No install spec; this is an instruction+script skill that runs the included Python files. No remote downloads or archive extraction are performed by an installer. The scripts claim to use only Python stdlib.
Credentials
The skill declares no required environment variables or primary credential. It asks the user to provide a service API key/secret or use the browser signup flow; storing credentials locally in ~/.clawallex is expected for this functionality. It does not request unrelated secrets or system-wide credentials.
Persistence & Privilege
always is false and the skill does not request to be force-enabled. It writes its own credential files under ~/.clawallex (normal for a CLI client) and does not modify other skills or global agent settings.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install clawallex
  3. After installation, invoke the skill by name or use /clawallex
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.4
clawallex 1.0.4 - Added a browser-based quick signup flow (`signup` and `signup-check`) for easier new account creation without manually copying API keys. - Updated setup instructions to prioritize the new browser signup; connecting with API keys is now for existing users. - Updated "Hard Rules" and "Setup Flow" to guide users toward the new quick signup method. - Expanded command reference with `signup` and `signup-check` commands, and clarified intent for each setup command. - Described possible signup result statuses for improved onboarding troubleshooting.
v1.0.2
clawallex-skill 1.0.1 - Initial release with full project structure and 61 files added. - Provides USDC-to-virtual card conversion for online checkouts. - Includes quick start, detailed command reference, and advanced on-chain (x402/EIP-3009) payment flows. - Supports wallet management, payments, subscriptions, card refills, and strict handling of card secrets. - Features flows for both wallet-based and self-custody (DeFi agent) users.
v1.0.0
Clawallex Skill v1.0.0 - Initial release: Pay for anything with USDC using virtual cards accepted at any online checkout. - Includes setup and connection flow, wallet and card management, payment and subscription support. - Provides detailed command reference for account setup, payments, subscriptions, card and wallet actions, and advanced on-chain (x402) flows. - Enforces important user protection rules (e.g., card data never exposed, balance checked before payment). - Supports both wallet balance mode and advanced on-chain agent mode for automated/decentralized payments.
Metadata
Slug clawallex
Version 1.0.4
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 3
Frequently Asked Questions

What is Clawallex?

Pay for anything with USDC — virtual cards for any online checkout. It is an AI Agent Skill for Claude Code / OpenClaw, with 174 downloads so far.

How do I install Clawallex?

Run "/install clawallex" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Clawallex free?

Yes, Clawallex is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Clawallex support?

Clawallex is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Clawallex?

It is built and maintained by Clawallex (@clawallex-tech); the current version is v1.0.4.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments