← Back to Skills Marketplace
282
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install clawvault-payments
Description
Security middleware for AI agents handling money. Non-custodial crypto wallets and virtual Visa cards with spending limits, whitelists, and human approval.
README (SKILL.md)
ClawVault Agent Skill
You have access to ClawVault, a security middleware for AI agents. ClawVault protects TWO spending channels:
- Crypto payments - USDC transfers on Base and Solana blockchains
- Agent Card - Virtual Visa card for any merchant worldwide (SaaS, APIs, cloud, etc.)
Both channels use the same rules engine. Every transaction is validated against user-defined rules. Transactions within rules auto-approve; transactions outside rules require human approval via Telegram or dashboard.
Security Model
- Non-custodial: Your keys never leave your wallet
- Rule-enforced: Spending limits, whitelists, time windows enforced on-chain
- Human-in-the-loop: Anything outside rules requires explicit approval
- Audit trail: All transactions logged and visible in dashboard
API Base URL
https://api.clawvault.cc
Authentication
All requests require your API key in the Authorization header:
Authorization: Bearer ${CLAWVAULT_API_KEY}
Get your API key at: https://clawvault.cc/agents
CRYPTO PAYMENTS (On-Chain)
1. Request a Crypto Payment
When you need to send USDC to a blockchain address:
POST /v1/payments
Content-Type: application/json
{
"amount": "50.00",
"token": "USDC",
"recipient": "0x1234567890abcdef1234567890abcdef12345678",
"chain": "base",
"reason": "Payment for services rendered",
"skill": "transfer"
}
Response (Success)
{
"success": true,
"data": {
"id": "pi_abc123",
"status": "pending",
"expiresAt": "2026-02-27T12:00:00Z"
}
}
Possible Statuses
auto_approved- Payment executed immediately (within rules)pending- Awaiting human approval via Telegram/dashboarddenied- Payment was rejectedexpired- Approval window closed (5 minutes)
2. Check Before Sending (Dry Run)
Before making a payment, check if it will auto-approve or need manual approval:
POST /v1/rules/check
Content-Type: application/json
{
"amount": "50.00",
"token": "USDC",
"recipient": "0x1234...",
"chain": "base"
}
Response
{
"success": true,
"data": {
"allowed": true,
"autoApprove": false,
"reason": "Manual mode",
"remainingBudget": { "daily": 450.00 },
"remainingTx": { "daily": 46 }
}
}
If autoApprove: false, tell the user the payment needs their approval.
3. Get Vault Status
Check your vault balance and current limits:
GET /v1/vault
Response
{
"success": true,
"data": {
"chain": "base",
"balances": [{ "token": "USDC", "balance": "150.00" }],
"rules": {
"mode": "manual",
"perTxLimit": 500,
"dailyTxMax": 20
}
}
}
AGENT CARD (Visa Card)
Use the Agent Card when you need to pay for:
- SaaS subscriptions (Vercel, Netlify, etc.)
- API services (OpenAI, Anthropic, Twilio, etc.)
- Cloud compute (AWS, GCP, Azure)
- Any merchant that accepts Visa
4. Request a Card Purchase
POST /v1/card/purchase
Content-Type: application/json
{
"amount": 20.00,
"currency": "USD",
"merchant": "OpenAI API",
"merchant_category": "api_services",
"reason": "GPT-4 API credits for research task"
}
Response (Approved)
{
"success": true,
"data": {
"id": "card_txn_abc123",
"status": "approved",
"card_credentials": {
"number": "4242837419283847",
"exp_month": 3,
"exp_year": 2028,
"cvc": "847"
},
"valid_for_seconds": 300
}
}
Response (Needs Approval)
{
"success": true,
"data": {
"id": "card_txn_abc123",
"status": "pending_approval",
"reason": "Amount exceeds auto-approve threshold"
}
}
IMPORTANT: Card credentials are temporary and single-use. Use them immediately at the merchant checkout. Never log or store card credentials.
5. Check Card Balance
GET /v1/card/balance
Response
{
"success": true,
"data": {
"balance": 450.00,
"currency": "USD",
"spent_today": 50.00,
"spent_this_month": 350.00,
"daily_limit": 500.00,
"monthly_limit": 5000.00
}
}
6. Check Card Rules
Before making a purchase, check if it's allowed:
POST /v1/card/check
Content-Type: application/json
{
"amount": 20.00,
"merchant_category": "api_services"
}
Response
{
"success": true,
"data": {
"allowed": true,
"autoApprove": true,
"reason": "Within limits, allowed category"
}
}
COMMON ENDPOINTS
7. Check Payment/Purchase Status
GET /v1/payments/{payment_id}
GET /v1/card/transactions/{transaction_id}
8. List Recent Transactions
GET /v1/transactions?limit=10
GET /v1/card/transactions?limit=10
DECIDING: CRYPTO vs CARD
Use this logic to decide which channel to use:
| Scenario | Use |
|---|---|
| Paying a blockchain address (0x...) | Crypto (/v1/payments) |
| Paying for SaaS subscription | Card (/v1/card/purchase) |
| Paying for API credits | Card (/v1/card/purchase) |
| Paying for cloud services | Card (/v1/card/purchase) |
| Paying for any online service | Card (/v1/card/purchase) |
| Sending money to another person's crypto wallet | Crypto (/v1/payments) |
| DeFi, staking, token swaps | Crypto (/v1/payments) |
Rule of thumb: If it's a blockchain address, use crypto. If it's a company/service, use the card.
HUMAN APPROVAL FLOW
When a transaction requires approval:
- User is notified via Telegram bot or ClawVault dashboard
- User reviews the transaction details (amount, recipient, reason)
- User approves or denies with one tap
- Transaction executes if approved, or is cancelled if denied
- Approval expires after 5 minutes if no action taken
Always inform the user when approval is required: "This transaction needs your approval. Check your Telegram or ClawVault dashboard."
COMMON SCENARIOS
Scenario: User asks to pay for OpenAI API credits
- Call
/v1/card/checkto verify it's allowed - If allowed, call
/v1/card/purchasewith merchant="OpenAI API" - If
status: "approved", use the card credentials at checkout immediately - If
status: "pending_approval", tell user: "This purchase needs your approval. Check Telegram or ClawVault dashboard."
Scenario: User asks to send USDC to an address
- Call
/v1/rules/checkto see if it will auto-approve - Call
/v1/paymentswith the recipient address - If
status: "pending", tell user to approve in Telegram
Scenario: Card purchase denied
Tell the user: "The purchase was denied. Reason: {reason}. Check ClawVault dashboard for details."
Scenario: Insufficient card balance
Tell the user: "Insufficient card balance. Current balance: ${balance}. The card needs to be funded."
ERROR HANDLING
Common Errors
| Code | Meaning | Action |
|---|---|---|
INVALID_KEY |
Bad API key | Check your API key |
TIER_LIMIT_EXCEEDED |
Monthly limit reached | User needs to upgrade |
INSUFFICIENT_BALANCE |
Not enough funds | User needs to deposit (crypto) or fund card |
RULE_VIOLATION |
Outside allowed parameters | Check the reason field |
CARD_FROZEN |
Card is frozen | User needs to unfreeze in dashboard |
MERCHANT_BLOCKED |
Merchant category not allowed | Cannot purchase from this merchant |
CARD_NOT_ACTIVE |
Card not set up | User needs to apply for Agent Card |
Error Response Format
{
"success": false,
"error": {
"code": "RULE_VIOLATION",
"message": "Exceeds per-transaction limit of $100"
}
}
SECURITY BEST PRACTICES
- Never log card credentials - Card numbers, CVCs are sensitive
- Always check first - Use
/v1/rules/checkor/v1/card/checkbefore transactions - Explain to users - If approval is needed, tell them where to approve
- Handle pending - Don't assume transactions complete immediately
- Use card credentials immediately - They expire in 5 minutes
- Show transaction links - For crypto, link to
https://basescan.org/tx/{txHash}
SUPPORT
- Dashboard: https://clawvault.cc
- Docs: https://clawvault.cc/docs
- API Status: https://api.clawvault.cc/health
- Source: https://github.com/andrewszk/clawvault-mcp-server
Usage Guidance
This skill is internally coherent for its stated purpose, but it enables real money transfers, so proceed cautiously: (1) Only provide a ClawVault API key with least privilege and use sandbox/test credentials first if available. (2) Ensure your ClawVault rules require human approval for anything you don't want automated. (3) Limit which agents/apps are allowed to use this skill and monitor transactions closely. (4) Vet the external service (https://clawvault.cc and the GitHub repo) before entrusting real funds. (5) Never share or persist temporary card credentials — follow the SKILL.md guidance. If you need higher assurance, request the skill publisher provide audited server-side code or a security review before enabling it for autonomous agents.
Capability Analysis
Type: OpenClaw Skill
Name: clawvault-payments
Version: 1.0.2
The skill bundle provides instructions for an AI agent to interact with ClawVault, a payment middleware service for crypto and virtual Visa cards. The documentation (SKILL.md) outlines API endpoints for payments, balance checks, and rule validation, while emphasizing security practices such as human-in-the-loop approvals and the avoidance of logging sensitive card credentials. No malicious code, data exfiltration patterns, or harmful prompt injections were identified.
Capability Assessment
Purpose & Capability
Name/description, endpoints in SKILL.md, and required primaryEnv (CLAWVAULT_API_KEY) align: this is a payments middleware skill and it only requests the API key it needs to call the ClawVault API.
Instruction Scope
SKILL.md contains only HTTP API usage patterns against https://api.clawvault.cc (payment, rule checks, card requests, status/listing). It does not instruct reading local files, unrelated env vars, or sending data to other endpoints.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk or installed by the skill itself.
Credentials
Only a single credential (CLAWVAULT_API_KEY) is declared as required and is appropriate for an API-driven payments service. No unrelated secrets or config paths are requested.
Persistence & Privilege
always:false and normal model invocation settings — the skill can be invoked autonomously (platform default). Because the skill enables real financial actions, autonomous invocation increases risk; prefer requiring human approval in the vault rules or restricting which agents can call this skill.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install clawvault-payments - After installation, invoke the skill by name or use
/clawvault-payments - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
Added proper metadata: homepage, source, required credentials, security model documentation.
v1.0.1
Security middleware for AI agents handling money. Crypto wallets + virtual cards.
v1.0.0
Security middleware for AI agents handling money. Crypto wallets + virtual cards.
Metadata
Frequently Asked Questions
What is ClawVault Payments?
Security middleware for AI agents handling money. Non-custodial crypto wallets and virtual Visa cards with spending limits, whitelists, and human approval. It is an AI Agent Skill for Claude Code / OpenClaw, with 282 downloads so far.
How do I install ClawVault Payments?
Run "/install clawvault-payments" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is ClawVault Payments free?
Yes, ClawVault Payments is completely free (open-source). You can download, install and use it at no cost.
Which platforms does ClawVault Payments support?
ClawVault Payments is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created ClawVault Payments?
It is built and maintained by clawvault (@andrewszk1); the current version is v1.0.2.
More Skills