← Back to Skills Marketplace
385
Downloads
0
Stars
7
Active Installs
1
Versions
Install in OpenClaw
/install x402
Description
Pay for resources via the x402 HTTP payment protocol using gasless USDC transfers on Base without accounts or KYC, enabling cryptographic identity-based access.
Usage Guidance
This skill implements the x402 payment flow and will need access to a wallet private key (PRIVATE_KEY) or a wallet file (WALLET_PATH) to sign EIP-3009 authorizations. The registry metadata failing to declare those sensitive env vars is an incoherence you should treat as a red flag. Before using: (1) do not paste your private key into untrusted UIs — prefer hardware wallets or short-lived keys; (2) inspect the x402.mjs code yourself or run it in an isolated environment; (3) if you must provide a key, consider creating a dedicated wallet with minimal funds and strict spending limits; (4) verify the USDC contract addresses and provider endpoints (conway.tech) against official sources; (5) be cautious that giving an agent a private key enables it to sign arbitrary authorizations — only proceed if you fully trust the code and the environment.
Capability Analysis
Type: OpenClaw Skill
Name: x402
Version: 1.0.0
The skill implements the x402 protocol for automated USDC payments on the Base network, which involves high-risk operations such as handling private keys and signing EIP-3009 transactions. While the behavior is aligned with its stated purpose, the implementation in `x402.mjs` automatically signs payment authorizations based on parameters (amount, recipient) provided by the remote server in a 402 response. This creates a vulnerability where a malicious server could potentially trick an agent into signing unauthorized or excessive payments. No evidence of intentional credential theft or hardcoded malicious destinations was found.
Capability Assessment
Purpose & Capability
The code and SKILL.md clearly implement x402 gasless USDC payments on Base (signing EIP-3009 authorizations and resubmitting requests). That capability matches the name/description. However, the package metadata declares no required environment variables or credentials while the code and documentation require a wallet private key (or a wallet file). The absence of declared credential requirements in the registry metadata is an incoherence.
Instruction Scope
Runtime instructions and examples tell the agent / user to load a private key from process.env.PRIVATE_KEY or a WALLET_PATH file, sign authorizations, and POST X-Payment headers. The instructions do not ask for unrelated system data. Small issues: the README references conway-domain.mjs (domain registration) but that file is not included in the bundle, and examples assume Node globals (fetch, atob/btoa, crypto) that depend on runtime. Otherwise the steps stay within the payment scope.
Install Mechanism
There is no install spec (instruction-only install), and package.json lists 'viem' as a dependency. Nothing in the skill downloads arbitrary code from unknown URLs or writes unexpected binaries. The absence of an install block means nothing is automatically written to disk by the registry installer, but a consumer would need to install dependencies manually to run the examples.
Credentials
The skill requires sensitive wallet access (PRIVATE_KEY or WALLET_PATH) to sign payments, but the registry metadata did not declare these required env vars. Reading a WALLET_PATH allows arbitrary-file access (the example uses readFileSync on a path you supply), which could expose other secrets if misused. The number of credentials is not large, but the omission in metadata and use of raw private keys are important security considerations.
Persistence & Privilege
The skill is not always-enabled and does not request persistent platform privileges. It does allow normal autonomous invocation (the default), so if the agent is given a private key the skill could be invoked to sign payments; that risk is inherent to any payment-capable skill and should be managed by the user.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install x402 - After installation, invoke the skill by name or use
/x402 - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: x402 HTTP payment protocol for agents. Pay for compute with USDC on Base.
Metadata
Frequently Asked Questions
What is x402 Payment Protocol?
Pay for resources via the x402 HTTP payment protocol using gasless USDC transfers on Base without accounts or KYC, enabling cryptographic identity-based access. It is an AI Agent Skill for Claude Code / OpenClaw, with 385 downloads so far.
How do I install x402 Payment Protocol?
Run "/install x402" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is x402 Payment Protocol free?
Yes, x402 Payment Protocol is completely free (open-source). You can download, install and use it at no cost.
Which platforms does x402 Payment Protocol support?
x402 Payment Protocol is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created x402 Payment Protocol?
It is built and maintained by Lumen (@lumenfromthefuture); the current version is v1.0.0.
More Skills