← Back to Skills Marketplace
payclawinc

Payclaw Badge Pub

by PayClaw, Inc. · GitHub ↗ · v0.5.1
cross-platform ⚠ suspicious
423
Downloads
0
Stars
0
Active Installs
5
Versions
Install in OpenClaw
/install payclaw-badge
Description
Agents are not bots. Prove it. UCP Credential Provider: declare your agent as an authorized actor before shopping at any UCP-compliant merchant. Requires PAY...
Usage Guidance
This skill appears to implement an MCP identity 'Badge' that communicates with payclaw.io; that behavior is consistent with the description. However there are multiple mismatches you should verify before installing: (1) the registry metadata lists no required env vars, but the code requires PAYCLAW_API_KEY (and PAYCLAW_API_URL) — supplying an API key will send it to PayClaw endpoints; (2) README/SKILL.md claim a no-key device-auth fallback, but the code returns an error if PAYCLAW_API_KEY is unset; (3) the manifest has no install spec but SKILL.md tells you to run npx which downloads code from npm. Recommendations: only install if you trust payclaw.io and the npm package @payclaw/badge; inspect the published npm package and the GitHub repository linked in package.json to confirm the code there matches the included source; if you need the 'no-key' flow, confirm it actually exists upstream; treat PAYCLAW_API_KEY as a secret and do not reuse high-privilege keys; and consider running the package in a sandboxed environment first. If you want, I can (a) fetch the published npm package metadata and compare it to these files, or (b) highlight the exact code lines where the documented device-auth behavior diverges from implementation.
Capability Analysis
Type: OpenClaw Skill Name: payclaw-badge Version: 0.5.1 The payclaw-badge skill bundle is a legitimate implementation of an identity provider for AI agents, designed to help them avoid bot detection by merchants. The code implements an MCP server that provides tools for an agent to declare its identity and report its status. While the bundle includes a 'sampling' mechanism in `src/sampling.ts` that allows the server to proactively ask the agent for feedback (e.g., 'Did the merchant block you?') and reports this telemetry back to `payclaw.io`, this behavior is disclosed in the documentation and aligned with the stated purpose of verifying the effectiveness of the identity badge. No evidence of malicious intent, unauthorized data access, or harmful prompt injection was found.
Capability Assessment
Purpose & Capability
Name/description, MCP tools, and included code all align with a PayClaw 'badge' identity provider: it calls a PayClaw API to get a verification token and reports presentation outcomes. However registry metadata claims 'Required env vars: none' while SKILL.md, server.json, README and the code expect PAYCLAW_API_KEY and PAYCLAW_API_URL — an inconsistency suggesting the manifest wasn't kept in sync with implementation.
Instruction Scope
SKILL.md instructs the agent to invoke an MCP stdio tool via 'npx -y @payclaw/badge' and to set PAYCLAW_API_KEY/PAYCLAW_API_URL. The code will: (1) require the API key to call PayClaw endpoints, (2) report trip outcomes back to PayClaw, and (3) attempt to sample the agent by creating messages (serverRef.createMessage) to ask YES/NO about whether the merchant blocked the agent. The README/SKILL.md claim a no-key device auth flow, but getAgentIdentity.ts immediately errors if PAYCLAW_API_KEY is unset — mismatch between claimed behavior and actual instructions/implementation. The sampling behavior means the skill may autonomously send short prompts to the agent; that is expected for this tool but should be explicit to users.
Install Mechanism
No explicit platform install spec in the registry, but SKILL.md instructs use of 'npx -y @payclaw/badge' which will fetch a public npm package (@payclaw/badge). This is a common pattern (moderate risk) — it pulls code from the npm registry, not an arbitrary URL. The included package.json points to a GitHub repo and normal npm dependencies.
Credentials
The code requires PAYCLAW_API_KEY and PAYCLAW_API_URL and uses them to authenticate API calls and to report trip outcomes. The registry metadata declares no required env vars and the skill metadata earlier listed none — that's inconsistent and potentially misleading. The variables requested (API key) are proportional to the stated purpose only if you expect PayClaw to receive identity events; nonetheless, you should assume your PAYCLAW_API_KEY will be sent to PayClaw endpoints and used to authorize reporting.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and keeps trip state in-memory only. It will run as an MCP stdio server (normal for MCP tools) and may autonomously create short sampling messages through the MCP server API — autonomous invocation is the platform default but be aware of the sampling messages.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install payclaw-badge
  3. After installation, invoke the skill by name or use /payclaw-badge
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.5.1
**payclaw-badge 0.5.1** - Updated to require PAYCLAW_API_KEY for usage; device-based auth no longer default. - Setup instructions and README clarified to reflect API key requirement and where to obtain it. - Added notes on minimum Node.js version (20+ required). - Expanded Security & Privacy section with clear credential and data practices.
v0.5.0
V1.2 UCP: no API key required (device auth), UCP Credential Provider, updated tool description, /merchants link
v0.4.0
Formatted CLI output (✓ DECLARED), optional merchant param, brand v2 alignment
v0.3.0
Brand v2: authorized actor framing, skeleton key, KYA. MCP sampling (DQ-54). Four outcome buckets.
v0.1.0
Initial release — agent identity for merchant-compliant shopping
Metadata
Slug payclaw-badge
Version 0.5.1
License
All-time Installs 0
Active Installs 0
Total Versions 5
Frequently Asked Questions

What is Payclaw Badge Pub?

Agents are not bots. Prove it. UCP Credential Provider: declare your agent as an authorized actor before shopping at any UCP-compliant merchant. Requires PAY... It is an AI Agent Skill for Claude Code / OpenClaw, with 423 downloads so far.

How do I install Payclaw Badge Pub?

Run "/install payclaw-badge" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Payclaw Badge Pub free?

Yes, Payclaw Badge Pub is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Payclaw Badge Pub support?

Payclaw Badge Pub is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Payclaw Badge Pub?

It is built and maintained by PayClaw, Inc. (@payclawinc); the current version is v0.5.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments