← Back to Skills Marketplace
631
Downloads
0
Stars
1
Active Installs
3
Versions
Install in OpenClaw
/install openclaw-paid-actions
Description
Use the openclaw_paid_action tool to list actions, generate USDC invoices, and execute only after manual payment confirmation on Solana.
Usage Guidance
What to check before installing: 1) Confirm you have a trusted implementation of the openclaw_paid_action tool (source, release, or vendor) because the SKILL is instruction-only. 2) Review every configured action command (e.g., scripts/paid-actions/*) before enabling; those commands execute with the agent's privileges and receive the action input via OPENCLAW_PAID_ACTION_INPUT_JSON. 3) Store OPENCLAW_PAID_ACTIONS_INVOICE_SECRET securely and consider using a signing key with limited scope/funds for testing. 4) Ensure invoice store path is on a secure filesystem and that the agent's config storage is trusted. 5) Limit tools.allow and do not enable autonomous invocation unless you trust the configured actions and have enforced reviewed-scripts policy. 6) If you need higher assurance, ask the publisher for source code or a release URL and verify the openclaw_paid_action implementation before enabling the skill.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-paid-actions
Version: 0.2.2
The skill bundle is classified as suspicious due to the described architecture in `SKILL.md` that allows for the execution of external scripts (e.g., `scripts/paid-actions/x-shoutout.mjs`) with input derived from potentially untrusted sources (`OPENCLAW_PAID_ACTION_INPUT_JSON`). While the `SKILL.md` itself does not contain malicious code or direct prompt injection, it outlines a design pattern where a vulnerability in the external scripts could lead to Remote Code Execution (RCE). The documentation acknowledges this risk by recommending `enforceReviewedScripts: true` and advising to 'Review every configured action command before enabling autonomous execution', indicating a known attack surface.
Capability Assessment
Purpose & Capability
Name/description (paid actions, USDC invoices, Solana confirmation) match the declared needs: node binary, a payment recipient (OPENCLAW_USDC_PAY_TO), an invoice signing secret, and an invoice store path. Config keys are scoped to plugins.entries.openclaw-paid-actions, which is coherent for a plugin.
Instruction Scope
SKILL.md is instruction-only and instructs the agent to call an external tool openclaw_paid_action to list/quote/invoice/confirm/wait/execute. It documents that action inputs are surfaced to executed commands via OPENCLAW_PAID_ACTION_INPUT_JSON. This is expected for the purpose but means any configured action command will run with that input and can access local system resources; verify that configured commands are reviewed and safe before enabling autonomous execution.
Install Mechanism
No install spec and no code files are present (instruction-only). This lowers delivery risk because nothing is downloaded or written by an installer from the skill bundle itself. However the skill assumes an out-of-band implementation of openclaw_paid_action is already installed and trusted.
Credentials
Requested env vars are appropriate for a payment/invoice plugin (pay-to address, signing secret, persistent store path). The invoice secret is a sensitive credential and invoiceStorePath implies file-system persistence; ensure the secret's scope and storage permissions are limited. No unrelated credentials are requested.
Persistence & Privilege
The skill declares required config paths under plugins.entries.openclaw-paid-actions.* which implies it will be enabled/configured in agent plugin settings and may persist secrets/config. always is false (not force-included). This is reasonable for a plugin but be aware enabling it grants the plugin ability to run configured commands and store invoices/secrets in the agent's config/storage.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-paid-actions - After installation, invoke the skill by name or use
/openclaw-paid-actions - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.2.2
Declare required env/config/bin metadata and clarify trusted external plugin dependency for instruction-only skill.
v0.2.1
Security preflight enforcement, reviewed-script policy, runtime binary/version checks, and updated operator guidance.
v0.2.0
On-chain USDC validation + reply tx extraction
Metadata
Frequently Asked Questions
What is OpenClaw Paid Actions?
Use the openclaw_paid_action tool to list actions, generate USDC invoices, and execute only after manual payment confirmation on Solana. It is an AI Agent Skill for Claude Code / OpenClaw, with 631 downloads so far.
How do I install OpenClaw Paid Actions?
Run "/install openclaw-paid-actions" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is OpenClaw Paid Actions free?
Yes, OpenClaw Paid Actions is completely free (open-source). You can download, install and use it at no cost.
Which platforms does OpenClaw Paid Actions support?
OpenClaw Paid Actions is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created OpenClaw Paid Actions?
It is built and maintained by Icey (@icetroll); the current version is v0.2.2.
More Skills