← Back to Skills Marketplace
293
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install pg-buy
Description
Use when buying API access through ProxyGate — depositing USDC, browsing available APIs, making proxy requests, streaming responses, or rating sellers. Make...
Usage Guidance
This skill seems to be a legitimate ProxyGate buyer helper, but it tells the agent to use your local Solana keypair and CLI to deposit/withdraw USDC and to proxy arbitrary API requests — actions that require access to sensitive secrets and can move money. Before installing: (1) verify the skill's provenance (homepage, author, and source code) — this skill has no homepage listed; (2) assume the agent will need access to ~/.proxygate/keypair.json and ~/.proxygate/config.json or an API key; do not expose your full wallet/private key unless you trust the skill and its author; (3) prefer using a dedicated limited-funds wallet or test keypair and enable dry-run flags when possible; (4) require explicit user confirmation for any deposit/withdraw commands (ask the platform maintainer how to enforce confirmation); (5) if you cannot verify the author or you need stricter guarantees, decline or restrict the skill until it declares required credentials and a clear consent flow.
Capability Analysis
Type: OpenClaw Skill
Name: pg-buy
Version: 0.2.1
The skill bundle facilitates interaction with 'ProxyGate,' a service for purchasing API access using USDC on the Solana blockchain. It includes high-risk capabilities such as managing private Solana keypairs (~/.proxygate/keypair.json), executing financial transactions (deposits and withdrawals), and routing potentially sensitive API traffic through a third-party gateway (https://gateway.proxygate.ai). While these actions are aligned with the stated purpose in SKILL.md and references/commands.md, the automated handling of crypto wallets and the proxying of data constitute significant security risks.
Capability Assessment
Purpose & Capability
The skill's stated purpose (buying API access through ProxyGate) matches the CLI/SDK commands in SKILL.md: balance checks, deposits, proxy requests, ratings, withdrawals. Requiring a Solana wallet or API key is logically consistent with that purpose. However, the skill metadata declares no required env vars or config paths, while the instructions explicitly reference a keypair path (~/.proxygate/keypair.json) and config (~/.proxygate/config.json). That mismatch is unexpected and should have been declared.
Instruction Scope
The SKILL.md tells the agent to run commands that access local wallet/keypair files, initialize a vault, deposit USDC (on-chain), withdraw funds, and proxy arbitrary upstream API requests (including streaming and shield modes). These actions involve sensitive local files and financial transactions and will send data to external endpoints (gateway.proxygate.ai and upstream APIs). The instructions also encourage always using this skill for many user intents, giving broad discretion. There is no explicit requirement in the document that the agent must obtain explicit user confirmation before performing fund-moving commands.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That reduces attack surface from supply-chain installs; the skill will only instruct the agent to call existing CLI/SDK tools assumed to be present.
Credentials
The skill metadata lists no required environment variables or credentials, yet the docs reference API keys and a Solana keypair file, and CLI flags exist to override API key or point to a keypair. Those are sensitive secrets (wallet private keys / API keys) and should have been declared. The agent may be directed to read or use these secrets, which is disproportionate relative to the declared (empty) requirements.
Persistence & Privilege
always: false (good), but the skill is allowed autonomous invocation (platform default). Combined with the ability to perform deposits/withdrawals and the SKILL.md's recommendation to 'Make sure to use this skill whenever...' this gives an autonomously-invoked skill the potential to perform financial operations without clear manual confirmation. That combination increases risk and should be mitigated by requiring explicit user consent for fund-moving actions.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install pg-buy - After installation, invoke the skill by name or use
/pg-buy - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.2.1
Sync with CLI v0.2.1 — updated commands, descriptions, and examples
v1.0.1
Add openclaw metadata: declare required binary (proxygate)
v1.0.0
Initial release of ProxyGate API-buying skill.
- Enables buying API access through ProxyGate: deposit USDC, discover APIs, make proxy requests, stream responses, and rate sellers.
- CLI commands and SDK usage included for full buyer workflow.
- Filtering, browsing, and searching APIs by category, service, and features.
- Added shield scanning for proxy requests (content moderation).
- Includes instructions for checking usage, settlements, and withdrawing USDC.
- Explicit skill invocation guidance for relevant user intents (API buying, proxy requests, deposits, etc.).
Metadata
Frequently Asked Questions
What is Pg Buy?
Use when buying API access through ProxyGate — depositing USDC, browsing available APIs, making proxy requests, streaming responses, or rating sellers. Make... It is an AI Agent Skill for Claude Code / OpenClaw, with 293 downloads so far.
How do I install Pg Buy?
Run "/install pg-buy" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Pg Buy free?
Yes, Pg Buy is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Pg Buy support?
Pg Buy is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Pg Buy?
It is built and maintained by jwelten (@jwelten); the current version is v0.2.1.
More Skills