← Back to Skills Marketplace
asgcompute

ASG Card

by ASG Compute · GitHub ↗ · v0.2.0 · MIT-0
macoslinuxwindows ⚠ suspicious
270
Downloads
1
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install agentcard
Description
Virtual MasterCards for AI agents — crypto payments, USDC wallet, create and manage virtual payment cards autonomously via x402 protocol on Stellar blockchain.
README (SKILL.md)

Agent Card — Payment Skill

Give your AI agent a virtual MasterCard. Agent Card lets agents autonomously create, fund, and manage virtual MasterCard cards by paying in USDC on the Stellar blockchain.

What It Does

  • Create cards — Issue virtual MasterCards with per-card spend limits
  • Fund cards — Top up existing cards with USDC
  • Manage cards — List, freeze, unfreeze, and inspect card details
  • On-chain payments — Every transaction uses the x402 protocol on Stellar with verifiable on-chain proof

Setup

npx @asgcard/cli onboard -y

This creates a Stellar wallet (~/.asgcard/wallet.json), configures the MCP server, and installs the payment skill. Your agent is ready to pay in under 30 seconds.

MCP Tools (9 available)

Tool Description
get_wallet_status Wallet address, USDC balance, readiness
create_card Create virtual MasterCard (x402 payment)
fund_card Top up existing card
list_cards List all wallet cards
get_card Card summary
get_card_details PAN, CVV, expiry (nonce-protected)
freeze_card Freeze a card
unfreeze_card Re-enable a card
get_pricing Current tier pricing

Use Cases

  • Pay for API credits (Anthropic, OpenAI, Google Cloud)
  • Provision cloud infrastructure (DigitalOcean, Vercel)
  • Buy domains, SaaS subscriptions, and developer tools
  • Any merchant that accepts MasterCard

Links

Usage Guidance
Key points to consider before installing or providing secrets: - This skill enables an agent to perform real payments and issue virtual MasterCards. If you supply a funded Stellar private key (ASG_CARD_WALLET_SECRET) the agent can spend real USDC. Only provide a key you explicitly trust the skill with. - There is an inconsistency: the SKILL/README claim the MCP server uses a local wallet file (~/.asgcard/wallet.json) and 'no env vars needed', yet the registry metadata marks ASG_CARD_WALLET_SECRET as required/primary. That should be clarified—don't assume where your secret will be read from or stored. - The code bundle includes many runnable scripts (CLI, mcp-server, e2e, preflight). Review those scripts locally before executing. They perform network calls to api.asgcard.dev and Stellar Horizon endpoints. - A prompt-injection pattern (unicode control characters) was detected in SKILL.md. Inspect SKILL.md raw bytes; do not blindly feed it to an agent or evaluation pipeline without sanitization. Practical mitigations: - Use a dedicated, low-funded Stellar wallet for experiments. Do not use high-value keys or production treasury keys. - Prefer the local wallet file workflow (created by onboarding) over exporting a private key into global environment variables. If the skill truly needs ASG_CARD_WALLET_SECRET, prefer injecting it only into a tightly-scoped runtime environment and remove it afterwards. - Audit the onboarding CLI and mcp-server code (cli/src/wallet-client.ts, mcp-server/src/wallet-client.ts, and api/src/middleware/walletAuth.ts) to confirm where and how secrets are read, stored, and transmitted. - If you expect the skill to act autonomously, set strict spending limits at the issuer/facilitator level and monitor transactions closely. Consider adding an approval step in the agent flow (require human approval before spending beyond trivial amounts). - If you cannot audit the code or vendor, do not provide production keys; instead test with sandbox accounts. If you want, I can: (a) point to the exact files that read env vars and wallet files so you can inspect them, or (b) list the code paths that would sign or transmit transactions so you can review them in detail.
Capability Analysis
Type: OpenClaw Skill Name: agentcard Version: 0.2.0 The Agent Card skill bundle is a well-engineered and legitimate tool for managing virtual MasterCards via the Stellar blockchain. It implements several security best practices, including AES-256-GCM encryption for card details at rest (pgCardRepo.ts), Ed25519 signature verification for wallet authentication (walletAuth.ts), and strict log redaction of sensitive data like PANs and CVVs (logger.ts). The code logic is transparent, follows the x402 payment protocol, and includes robust anti-replay mechanisms using nonces and idempotency keys. No evidence of malicious intent, unauthorized data exfiltration, or prompt injection was found.
Capability Tags
cryptorequires-walletcan-make-purchases
Capability Assessment
Purpose & Capability
Functionality (create/fund/manage cards via x402 on Stellar) matches the code and files present; a payment skill legitimately needs a Stellar wallet secret. However the SKILL metadata declares ASG_CARD_WALLET_SECRET as required while the README/SKILL.md repeatedly says the MCP server/readme uses a local wallet file (~/.asgcard/wallet.json) and 'no env vars needed' for clients — that mismatch is unexplained and surprising.
Instruction Scope
Runtime instructions ask you to run npx @asgcard/cli onboard which creates a local wallet and configures MCP tools (expected). But the SKILL.md also contains a frontmatter requiring an env var ASG_CARD_WALLET_SECRET. Additionally, a prompt-injection pattern (unicode-control-chars) was detected in SKILL.md — this could indicate attempts to manipulate prompt parsing during evaluation. The skill grants an agent autonomous authority to initiate on-chain payments and issue real MasterCard numbers, which is within purpose but high-impact and needs explicit user consent and clear secret handling.
Install Mechanism
There is no install spec (instruction-only in registry metadata), which is low-risk, but the package includes a large source tree and executable scripts (CLI, mcp-server, e2e and preflight scripts). Those scripts will perform network calls (API, Horizon) and can run locally via the repo — review them before running. The absence of an explicit install mechanism is not itself malicious but means the user/agent may run arbitrary included scripts via npx or by executing repo files.
Credentials
The skill declares a single primary credential ASG_CARD_WALLET_SECRET (a Stellar private key) — that is logically required for signing payments but is a highly sensitive secret. The SKILL.md and README claim the wallet 'never leaves your machine' and that 'no env vars needed' for MCP clients; yet the registry metadata forces ASG_CARD_WALLET_SECRET as required. The code and tests reference additional env vars (WEBHOOK_SECRET, STELLAR_TREASURY_ADDRESS, API_BASE, etc.) that are not declared as required. The combination of unclear secret ingestion paths and a privileged primary credential is concerning.
Persistence & Privilege
The skill is not always: true and does not demand elevated platform privileges. Autonomous invocation is enabled by default (normal for skills) and means an agent could spend funds when invoked. This is expected for a payment skill but increases blast radius: if the agent is allowed to act autonomously and holds a funded wallet, it can make real on-chain payments and create real cards.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install agentcard
  3. After installation, invoke the skill by name or use /agentcard
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.2.0
Optimized search keywords, added ClawHub install option, partner logos (Stellar, Circle, MasterCard)
v0.1.0
- Initial release of Agent Card skill (asgcard) version 1.0.8. - Enables AI agents to create, fund, and manage virtual MasterCards using USDC on Stellar via x402 protocol. - Supports on-chain payments with verifiable proof. - Includes tools for card creation, funding, management, and pricing queries. - Easy setup with wallet onboarding and payment skill installation.
Metadata
Slug agentcard
Version 0.2.0
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 2
Frequently Asked Questions

What is ASG Card?

Virtual MasterCards for AI agents — crypto payments, USDC wallet, create and manage virtual payment cards autonomously via x402 protocol on Stellar blockchain. It is an AI Agent Skill for Claude Code / OpenClaw, with 270 downloads so far.

How do I install ASG Card?

Run "/install agentcard" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is ASG Card free?

Yes, ASG Card is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does ASG Card support?

ASG Card is cross-platform and runs anywhere OpenClaw / Claude Code is available (macos, linux, windows).

Who created ASG Card?

It is built and maintained by ASG Compute (@asgcompute); the current version is v0.2.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments