← Back to Skills Marketplace
A2A Payments
by
Lê Minh Hiếu
· GitHub ↗
· v2.0.1
581
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install a2a-payments
Description
Blockchain USDC payments via APay — pay services, manage budgets, open streaming channels, and handle x402 protocol.
README (SKILL.md)
A2A Payments (APay)
Blockchain-native USDC payments for AI agents on Base chain. Pay for services, manage budgets, and handle micropayments.
Quick Start
Check your balance:
Use apay_check_balance to see my USDC balance
Pay a service:
Use apay_pay_service with serviceId "svc-123" and amount "0.50"
Available Tools
Balance & Budget
| Tool | Description |
|---|---|
apay_check_balance |
Check USDC balance, daily budget, spending limits |
apay_budget_check |
Verify if a specific amount is affordable |
apay_spending_history |
Get spending analytics and history |
Payments
| Tool | Description |
|---|---|
apay_pay_service |
Pay a service (agent pays gas) |
apay_pay_signed |
Gasless signed payment (server submits on-chain) |
apay_estimate_cost |
Estimate cost including 0.5% platform fee |
Services
| Tool | Description |
|---|---|
apay_list_services |
List available APay services |
apay_get_service |
Get detailed service info |
Payment Channels (Streaming)
| Tool | Description |
|---|---|
apay_channel_status |
Check channel status |
apay_stream_open |
Open channel with USDC deposit |
apay_stream_pay |
Sign off-chain micropayment |
apay_stream_close |
Close channel (refund unspent) |
x402 Protocol
| Tool | Description |
|---|---|
apay_x402_fetch |
Fetch URL with automatic x402 payment on HTTP 402 |
Workflows
Pay for a tool execution
apay_budget_check— verify affordabilityapay_estimate_cost— see total with feesapay_pay_service— execute payment- Receive payment receipt with tx hash
Streaming micropayments
For services that charge per-request (API calls, data feeds):
apay_stream_open— deposit USDC into channelapay_stream_pay— sign micropayments (off-chain, instant)apay_stream_close— settle on-chain, refund remainder
x402 auto-payment
For services using the HTTP 402 payment protocol:
Use apay_x402_fetch with url "https://api.example.com/premium/data" and maxPayment "1.00"
The tool automatically detects 402 responses, pays the required amount, and retries the request.
Network
- Chain: Base (Coinbase L2)
- Stablecoin: USDC (6 decimals)
- Model: Escrow-based sessions with spending limits
- Testnet: base-sepolia for development
Usage Guidance
Do not install this skill until you verify how payments are authorized and where signing happens. Ask the publisher for documentation showing: (1) whether payments are signed client-side (and how private keys are provided/stored) or server-side (and what API credentials are required), (2) what safeguards prompt for user consent and enforce spending limits, and (3) the npm package source, version, and audit info. If you proceed, test only on the specified testnet, restrict any credentials to least privilege, and review the @a2a/openclaw-plugin package contents (or its source repository) before granting it network or wallet access.
Capability Analysis
Type: OpenClaw Skill
Name: a2a-payments
Version: 2.0.1
The skill is classified as suspicious due to its inherent high-risk capabilities, even though they align with its stated purpose. The `SKILL.md` instructs the agent to install an external Node.js package (`@a2a/openclaw-plugin`), introducing a supply chain risk. More critically, the skill provides tools like `apay_pay_service` and `apay_pay_signed` for initiating financial transactions, and `apay_x402_fetch` which allows the agent to fetch arbitrary URLs. The ability to make payments and fetch arbitrary URLs represents a significant vulnerability risk (e.g., SSRF via `apay_x402_fetch` or financial loss via payment tools) if the agent is compromised or instructed maliciously, even without explicit malicious intent in the skill's instructions themselves.
Capability Assessment
Purpose & Capability
The skill's stated purpose is making on-chain USDC payments, opening streaming channels, and auto-paying HTTP 402 endpoints. Those actions normally require a signing key or an API/service credential, yet the skill declares no required environment variables, no wallet configuration, and no primary credential. This is incoherent: either the plugin/service needs access to private keys or server-side signing, or the metadata is incomplete.
Instruction Scope
SKILL.md instructs the agent to 'use' apay_* tools (check balance, pay services, auto-pay 402 responses) but is vague about confirmation flows, consent, or limits. The x402 auto-payment description implies automatic detection of 402 responses and paying/retrying requests — a behavior that could cause unexpected spending if consent/limits are not enforced. The instructions do not reference reading local files or extra env vars, but the high-level guidance grants broad authority to execute payments without explicit safety steps.
Install Mechanism
The install spec is an npm package (@a2a/openclaw-plugin). Using npm is a common pattern and not inherently malicious, but it means arbitrary code from the package will run in the agent environment. No homepage, publisher information, or checksum is provided in the skill metadata, so the package's provenance and contents should be inspected before installing.
Credentials
No environment variables, keys, or API tokens are declared despite the need to authorize and sign payments. This absence is disproportionate to the stated functionality. If the plugin relies on a remote service to sign payments, that service should require and declare credentials; if it expects local wallets, the skill should declare how keys are provided. The current metadata gives no justification for the missing credentials.
Persistence & Privilege
The skill does not request always:true and keeps default autonomous invocation. Autonomous invocation plus the ability to send payments increases risk because the agent could act without a user prompt. The skill lacks documentation of required user confirmations or spending safeguards, which combined with autonomous invocation is notable but not itself a configuration error.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install a2a-payments - After installation, invoke the skill by name or use
/a2a-payments - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.0.1
APay USDC payment tools for AI agents on Base chain. Budget management, service payments, streaming channels, and x402 protocol support.
v2.0.0
Initial release — APay blockchain USDC payments with 13 tools on Base mainnet
Metadata
Frequently Asked Questions
What is A2A Payments?
Blockchain USDC payments via APay — pay services, manage budgets, open streaming channels, and handle x402 protocol. It is an AI Agent Skill for Claude Code / OpenClaw, with 581 downloads so far.
How do I install A2A Payments?
Run "/install a2a-payments" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is A2A Payments free?
Yes, A2A Payments is completely free (open-source). You can download, install and use it at no cost.
Which platforms does A2A Payments support?
A2A Payments is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created A2A Payments?
It is built and maintained by Lê Minh Hiếu (@paparusi); the current version is v2.0.1.
More Skills