← Back to Skills Marketplace

Okx 402 Payment

Name: Okx 402 Payment
Author: ok-james-01

by ok-james-01 · GitHub ↗ · v2.6.0 · MIT-0

cross-platform ⚠ suspicious

154

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install okx-x402-payment

Description

Sign an x402 payment authorization for an EXTERNAL / third-party payment-gated resource. Use only when the user explicitly mentions 'x402' (or 'sign x402 pay...

Usage Guidance

This skill implements x402 payment signing and appears to do that end-to-end, but there are important questions you should resolve before using it: - The SKILL.md calls the onchainos CLI but the skill metadata does not list onchainos as a required binary. Verify that the onchainos CLI is present, trusted, and that you understand which binary will be executed. - The instructions tell the agent to read ../okx-agentic-wallet/_shared/preflight.md (or _shared/preflight.md). Inspect that referenced file first — it could contain sensitive instructions or references to other credentials. A skill should not need to read sibling-skill files without explicit justification. - The skill supports 'local signing with a private key'. Never paste or send your raw private keys unless you fully trust the skill and the execution environment. Prefer TEE/hardware-wallet signing via a wallet session rather than providing key material directly. - Ask the publisher (or inspect the full SKILL.md) to: (a) explicitly declare required binaries (onchainos), (b) explain how wallet sessions are initiated and authorized, and (c) show the exact prompts used if the skill requests private keys or other secrets at runtime. If the publisher updates the metadata to declare onchainos as a required binary and confirms the referenced preflight file contains only benign helper text (no secret access), and if the skill never requests raw private keys (or clearly documents a secure input flow), this assessment could move toward benign. Until then, treat the skill with caution and do not supply private keys or global credentials.

Capability Analysis

Type: OpenClaw Skill Name: okx-x402-payment Version: 2.6.0 The skill bundle contains instructions in SKILL.md that direct the AI agent to perform high-risk operations, specifically reading sensitive credentials (EVM_PRIVATE_KEY) from a local configuration file (~/.onchainos/.env). Furthermore, the operational flow involves taking potentially untrusted JSON payloads from external HTTP 402 responses and passing them directly into shell commands (e.g., onchainos payment x402-pay --accepts '...'), which creates a significant risk of shell injection or command manipulation. While these capabilities are aligned with the stated purpose of facilitating x402 payments, the handling of raw private keys and the lack of explicit sanitization for shell-bound data are meaningful high-risk behaviors.

Capability Tags

cryptorequires-walletcan-make-purchasesrequires-sensitive-credentials

Capability Assessment

⚠ Purpose & Capability

The SKILL.md repeatedly instructs the agent to call the onchainos CLI (e.g., onchainos payment x402-pay, onchainos payment eip3009-sign) and to perform wallet-based signing. However the skill metadata declares no required binaries or runtime dependencies. A skill that relies on a specific CLI should declare that requirement; the absence is an incoherence that could mislead users about what will actually run.

⚠ Instruction Scope

The instructions tell the agent to read an external preflight file at ../okx-agentic-wallet/_shared/preflight.md (or _shared/preflight.md) before running. Asking the agent to read sibling-skill files or files outside its own bundle is scope creep and may expose unrelated configuration or secrets. The skill also supports 'local signing with user's private key' — which implies collecting sensitive secrets at runtime even though no env vars or secure input channels are declared.

✓ Install Mechanism

This is an instruction-only skill with no install spec and no code files, so there is no installer-based risk. Nothing will be written to disk by an install step. Risk arises from runtime actions, not installation.

ℹ Credentials

No environment variables, credentials, or config paths are declared in the registry metadata. Yet the operation modes (TEE wallet session or local private-key signing) implicitly require access to wallet sessions or private keys. The skill does not declare how private keys or wallet sessions are obtained, stored, or protected; that gap is disproportionate and should be clarified.

✓ Persistence & Privilege

The skill is not force-included (always: false) and allows normal autonomous invocation. It does not request persistent platform privileges in the metadata. No red flags in persistence/privilege beyond the other issues noted.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install okx-x402-payment
After installation, invoke the skill by name or use /okx-x402-payment
Provide required inputs per the skill's parameter spec and get structured output

Version History

v2.6.0

**Summary:** This release refocuses the skill to handle only explicit third-party x402 payment requests and clarifies routing rules. - Restricts usage to external/third-party x402 payment-gated resources only. - Updates the description to emphasize explicit user intent ("x402" mention for non-onchainos URLs). - Adds detailed skill routing table—redirects all onchainos and Market API-related intents to specialized skills. - Removes all guidance for built-in/onchainos x402 flows from this skill. - Keeps payment protocol, chain/network info, and operational flow unchanged.

v2.4.0

Version 2.4.0 - Updated the metadata version to 2.4.0. - No changes to code or instruction content. - All core usage flows, warnings, and examples remain unchanged. - No file or schema changes detected in this update.

v2.2.10

No file changes detected. - Version metadata updated from 2.2.7 to 2.2.10 - No functional or documentation changes in this release

v2.2.7

okx-x402-payment v2.2.7 - Updated SKILL.md with detailed usage instructions, protocol background, and command index for the x402 payment authorization process. - Clarified support for EVM-compatible chains only, with CAIP-2 network identifiers. - Added step-by-step operational flow: initial request, 402 payload extraction, user confirmation prompt, and security reminders. - Emphasized the requirement for explicit user confirmation before initiating wallet checks or signing operations. - Provided clear routing guidance for related wallet, swap, security, and transaction functions.

Metadata

Slug okx-x402-payment

Version 2.6.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 4

Frequently Asked Questions

What is Okx 402 Payment?

Sign an x402 payment authorization for an EXTERNAL / third-party payment-gated resource. Use only when the user explicitly mentions 'x402' (or 'sign x402 pay... It is an AI Agent Skill for Claude Code / OpenClaw, with 154 downloads so far.

How do I install Okx 402 Payment?

Run "/install okx-x402-payment" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Okx 402 Payment free?

Yes, Okx 402 Payment is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Okx 402 Payment support?

Okx 402 Payment is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Okx 402 Payment?

It is built and maintained by ok-james-01 (@ok-james-01); the current version is v2.6.0.

More Skills