← Back to Skills Marketplace
🔌
paynode-402
by
PayNodeLabs
· GitHub ↗
· v2.7.5
· MIT-0
250
Downloads
1
Stars
1
Active Installs
16
Versions
Install in OpenClaw
/install paynode-402
Description
Dynamic Premium API Marketplace for AI Agents. Grants access to an ever-expanding registry of real-time external tools (e.g., web search, crypto oracles, web...
Usage Guidance
This skill is internally coherent for its stated purpose, but it requires a highly sensitive private key that can sign on-chain payments. Before installing: (1) Never supply a long-term or high-value private key — use a burner wallet with minimal funds. (2) Verify or pin the CLI package source (git clone and local build or pin @paynodelabs/paynode-402-cli@<VERSION>) before running in production. (3) Inspect ~/.config/paynode/config.json if present and remove any non-burner keys. (4) Ensure your agent platform enforces interactive confirmation for any mainnet spend (or set disable-model-invocation if you cannot enforce confirmations). (5) Prefer testnet/network=testnet for initial trials and audit the published npm/GitHub package if you plan to use this in a production flow. The scanner found no code files in the skill bundle (instruction-only), but that does not replace auditing the external CLI package referenced in SKILL.md.
Capability Analysis
Type: OpenClaw Skill
Name: paynode-402
Version: 2.7.5
The skill is classified as suspicious due to its requirement for a `CLIENT_PRIVATE_KEY` and its reliance on `bunx` to execute remote code from `@paynodelabs/paynode-402-cli`, which poses significant supply-chain and credential theft risks. Furthermore, `SKILL.md` contains instructions that steer the AI agent to prioritize this paid service over its internal knowledge, potentially leading to unexpected financial transactions. The future-dated `publishedAt` timestamp in `_meta.json` (April 2026) is an additional anomaly that suggests non-standard publishing practices.
Capability Tags
Capability Assessment
Purpose & Capability
Name/description (paid API marketplace) align with the declared requirements: the CLI examples use bunx, the skill requires the bun binary, and it needs a CLIENT_PRIVATE_KEY to sign on-chain payments. The config fallback (~/.config/paynode/config.json) is consistent with the described behavior. No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md is instruction-only and contains concrete bunx commands and safety rules (prompt user before mainnet spending, use burner wallets, fetch get-api-detail before invoking). It also instructs the agent to read CLIENT_PRIVATE_KEY from env or fallback config — this is within scope but sensitive. The skill explicitly requires user confirmation for spending, which reduces surprising autonomous behavior if the agent follows these rules.
Install Mechanism
No install spec; instruction-only skill (no code files). This means nothing is fetched or written by an automated installer at install time, which lowers supply-chain risk. SKILL.md references an external CLI package (bunx @paynodelabs/...), but no automatic download/install is declared in the skill metadata.
Credentials
Only one required credential (CLIENT_PRIVATE_KEY) is declared, which is proportionate to a wallet-signing CLI. However, this is a high-value secret (a private key). The fallback to a local config file increases the ways the secret can be present on disk. The SKILL.md itself warns to use burner keys and to verify config contents — appropriate but places responsibility on the user/operator.
Persistence & Privilege
always:false (good). disable-model-invocation:false (normal default), meaning the agent could invoke the skill autonomously; combined with a live CLIENT_PRIVATE_KEY this increases blast radius if the agent/platform does not enforce the SKILL.md's explicit prompt/confirm requirement. The skill does not request modification of other skills or system-wide config.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install paynode-402 - After installation, invoke the skill by name or use
/paynode-402 - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.7.5
- Version bump from 2.7.4 to 2.7.5.
- To use v2.7.2 cli version.
- No file changes detected; internal version update only.
v2.7.4
Version 2.7.4
- Documentation updated to clarify that the "clarify" tool must be used to explicitly ask humans for permission before executing paid API commands on mainnet.
- No changes to functionality or code; the update is documentation-only.
- Reinforces the requirement for user confirmation before spending real USDC on mainnet.
v2.7.3
- Updated homepage field location in metadata for improved consistency.
- Clarified use of --confirm-mainnet flag for all mainnet operations, including read-only commands.
- Enhanced mainnet safety messaging: explicit user approval is now required for any action potentially spending real USDC.
- Revised Quick Start and Command Reference sections to reflect flag usage and provide clearer command examples.
- No code changes; documentation and metadata improvements only.
v2.7.2
Version 2.7.2
- Improved documentation of supply chain, auditability, and open source verifiability for PayNode CLI and dependencies.
- Added guidance for locked/pinned CLI versions and instructions for strict local installs.
- Revised quick start and troubleshooting sections for greater clarity and user onboarding.
- No functional or CLI interface changes; update focuses on usability and documentation detail.
v2.7.1
- Added a new critical security rule: "Financial Optimization (CRITICAL)" — agents must avoid calling paid APIs multiple times for the same context and should store responses locally to minimize USDC usage.
- Clarified that responses should be piped to a temporary file and parsed locally to save costs.
- No code or CLI command changes; documentation and governance updates only.
v2.7.0
v2.7.0 is a major update refocusing the skill as a dynamic premium API marketplace for AI Agents.
- Expanded description: emphasizes dynamic marketplace, real-time API access, and agent usage guidance.
- New security warning section: clearer safety practices, supply chain advice, and testnet-first guidance.
- Improved governance: updates protocol for agents, disables internal logs in JSON mode, clarifies input schema/sample response requirements.
- Enhanced usage instructions: mandates marketplace discovery before error or fallback, encourages always checking available APIs for real-time or external data needs.
- Updated resource and workflow documentation; CLI command table improved for agent clarity.
v2.6.0
**Security governance requirements are now stricter; mainnet operations must always prompt for explicit YES confirmation and enforce burner wallet usage.**
- Security section updated: stricter language, "Critical" priority, and emphasis on burner wallet-only policy.
- YES-confirmation workflow for mainnet payments now explicitly mandatory.
- Only read local file paths created during the current request/session.
- Initial marketplace indexing on cold start is now described as a required outbound request.
- Minor clarifications and stronger enforcement language throughout documentation.
v2.5.2
- Updated environment and config instructions: Now supports environment variable and XDG config file for managing CLIENT_PRIVATE_KEY.
- Added mandatory security protocols to comply with ClawHub Safety Standards.
- Mainnet usage now requires explicit user confirmation before making payments.
- Agent workflow clarified: must always fetch API details before invocation; never guess parameters.
- Revised and streamlined documentation; project home now points directly to GitHub.
- No file or logic changes detected, only changes in documentation and metadata.
v2.5.1
- Migrated skill to a standalone CLI tool; all scripts and the SDK are now external dependencies.
- All internal source files and helper scripts removed—use `bunx @paynodelabs/paynode-402-cli` for all operations.
- Updated skill documentation and command references for the CLI-based workflow.
- Improved agent safety and best practices, including required discovery commands and explicit usage notes.
- All environment variables and binary requirements clarified for stateless, up-to-date usage.
v2.4.0
- Updated PayNode Protocol to v2.2.3.
- Bumped skill version to 2.4.0.
- Updated CLI output and documentation examples to reflect new version numbers.
- No code changes detected; documentation refresh only.
v2.3.0
**v2.3.0 is a major update focused on enhanced security and flexibility for environment variable management.**
- All critical configuration now uses system environment variables or CLI flags, eliminating reliance on plaintext `.env` files.
- Added new optional environment variables for advanced control: `PAYNODE_MARKET_URL`, `PAYNODE_RPC_URL`, `PAYNODE_RPC_TIMEOUT`, `PAYNODE_TASK_DIR`, `PAYNODE_MAX_AGE`.
- Updated documentation with setup instructions for securely configuring `CLIENT_PRIVATE_KEY` across Linux, macOS, and Windows environments.
- Reflects version bumps in expected outputs and instructions.
- General improvements for operational safety and agent compatibility.
v2.2.4
## paynode-402 v2.2.4 changelog
- Updated all user-facing CLI output and documentation to display the current skill version as 2.2.4.
- Added explicit skill_version and sdk_version fields to JSON outputs and documentation examples for improved clarity.
- Minor documentation edits to CLI usage for consistency and accuracy.
v2.2.3
paynode-402 v2.2.3
- Aligns documentation to match current environment variable and flag support, reflecting the actual implementation.
- Removes reference to the optional PAYNODE_MARKETPLACE_URL environment variable for improved accuracy.
- No changes to source code or functionality; documentation updates only.
v2.2.2
Marketplace integration and new commands for paid API discovery (version 2.2.2):
- Added marketplace client and types for discovering and inspecting paid APIs.
- Introduced new CLI commands: list-paid-apis, get-api-detail, and invoke-paid-api.
- Added scripts for marketplace interactions.
- SKILL.md updated with usage docs for the marketplace flow.
- Removed references/TESTING.md.
v1.0.1
- Updated protocol version from 2.2.0 to 2.2.1 throughout documentation.
- Example outputs and configuration now reflect version 2.2.1.
- No other user-facing changes noted.
v1.0.0
Initial release of paynode-402 skill for x402-v2 resource-based API billing on Base L2.
- Automates access to protected APIs using PayNode Protocol v2.2.0, supporting both on-chain and EIP-3009 payment methods.
- Requires Bun (v1.0+) and a dedicated CLIENT_PRIVATE_KEY (burner wallet); warns strongly against using any primary or non-burner wallets.
- CLI provides commands for checking balances, minting test USDC, and performing automated payments and API unlocks.
- Supports async/background execution for agent workflows, including result polling and auto-cleanup of task files.
- Handles JSON, text, and binary API responses; includes detailed flag-based configuration for testnet/mainnet safety.
- Focuses on strong agent safety rules and minimal exposure of private credentials.
Metadata
Frequently Asked Questions
What is paynode-402?
Dynamic Premium API Marketplace for AI Agents. Grants access to an ever-expanding registry of real-time external tools (e.g., web search, crypto oracles, web... It is an AI Agent Skill for Claude Code / OpenClaw, with 250 downloads so far.
How do I install paynode-402?
Run "/install paynode-402" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is paynode-402 free?
Yes, paynode-402 is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does paynode-402 support?
paynode-402 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created paynode-402?
It is built and maintained by PayNodeLabs (@paynodelabs); the current version is v2.7.5.
More Skills