← Back to Skills Marketplace

Self-hosted Crypto Payment

Name: Self-hosted Crypto Payment
Author: flacko2048

by Flacko2048 · GitHub ↗ · v1.0.1 · MIT-0

cross-platform ⚠ suspicious

116

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install self-hosted-crypto

Description

Add self-custodied crypto payment checkout to a Next.js + Supabase app. Accepts ETH, BTC, SOL, USDC, USDT and 25+ coins across 9 chains. No payment processor...

Usage Guidance

Key points to review before installing: - This is true self-custody: CRYPTO_MASTER_MNEMONIC controls all derived deposit wallets. If compromised you lose funds. Use a secure secrets manager (Vercel/AWS/etc.), not a checked-in .env file. Prefer a dedicated hot wallet with minimal funds for day-to-day payments; consider a multisig or sweep strategy for long-term storage. - The skill's registry metadata omitted required env vars. Do not trust the registry summary — follow SKILL.md and the code which require CRYPTO_MASTER_MNEMONIC and CRON_SECRET. - Ensure CRON_SECRET is strong and stored in hosting cron config so the cron request includes Authorization: Bearer <CRON_SECRET>. Confirm timingSafeEqual usage is actually comparing fixed-length buffers (the code does this), but test cron auth in a staging environment. - The skill assumes you have a working server-side Supabase service client helper; verify your service role keys and RLS policies are correct and no mnemonic or private keys are exposed to client bundles. Do not import crypto-wallets.ts into client code. - Audit the copied server files (resources/*.ts) yourself before deploying, and test on testnets first. Verify the RPC endpoints hard-coded in the code are acceptable for your needs (they are public RPC endpoints) and consider replacing with paid/private RPC providers if you need higher reliability. - Consider operational risks: address reuse prevention, DB backups, expiry windows, edge cases for token decimals and chain reorganizations, and legal/compliance implications of accepting crypto in your jurisdiction. - If you want stronger assurance, ask the publisher for provenance (homepage, source repo) and a security review; lack of a homepage/source in the registry metadata reduces traceability.

Capability Analysis

Type: OpenClaw Skill Name: self-hosted-crypto Version: 1.0.1 The skill bundle provides a comprehensive and well-documented implementation for a self-hosted crypto payment gateway using HD wallet derivation (EVM, BTC, SOL). While it handles a highly sensitive secret (CRYPTO_MASTER_MNEMONIC), the code follows security best practices, such as performing all derivation server-side, using timing-safe comparisons for authentication (timingSafeEqual in check-crypto-payments-route.ts), and implementing database-level protections like Row Level Security (RLS) and unique constraints to prevent address reuse. The external network calls are limited to standard public blockchain RPCs and price APIs (CoinGecko, Mempool.space), and the documentation includes explicit security advisories regarding mnemonic management.

Capability Tags

cryptorequires-walletcan-make-purchases

Capability Assessment

ℹ Purpose & Capability

The skill's code and SKILL.md align with the stated purpose: it derives HD wallet addresses (EVM/BTC/SOL), creates pending payment records, polls blockchains, and applies payments. Requiring a master mnemonic (CRYPTO_MASTER_MNEMONIC) and a cron secret is consistent with self-custodied payments. However, the registry metadata lists "Required env vars: none" while SKILL.md and the code explicitly require CRYPTO_MASTER_MNEMONIC and CRON_SECRET; that metadata omission is an inconsistency you should not ignore.

✓ Instruction Scope

SKILL.md is explicit: copy server-side files into Next.js routes, install listed npm deps, add CRYPTO_MASTER_MNEMONIC and CRON_SECRET, and configure a cron to hit the protected endpoint. The instructions restrict mnemonic to server-side and explicitly warn not to import wallet code into client components. The instructions do ask the agent to read/write project files (copy templates), which matches allowed-tools and the skill's purpose.

✓ Install Mechanism

There is no automated install spec (instruction-only). The SKILL.md instructs installing standard npm packages (ethers, @scure/*, @solana/web3.js, qrcode). These are expected and proportionate. No arbitrary binary downloads or remote archives are used by the skill itself.

⚠ Credentials

The code and SKILL.md require two sensitive environment values: CRYPTO_MASTER_MNEMONIC (BIP39 mnemonic controlling all derived deposit addresses) and CRON_SECRET (protecting cron endpoint). Those are proportionate to the functionality but extremely high-value secrets. The registry metadata incorrectly reported 'none' for required env vars — a potentially dangerous omission. Also the skill relies on your Supabase server-side client configuration (service role/keys) but does not explicitly list any Supabase service role env vars; ensure your existing server helpers are already correctly configured.

✓ Persistence & Privilege

The skill does not request always:true and is user-invocable. It requires file read/write/edit permissions to copy templates into your repo — that's expected for a code scaffolding skill. It does not attempt to modify other skills or system-wide agent configuration. No persistent autonomous privileges beyond normal skill behavior are requested.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install self-hosted-crypto
After installation, invoke the skill by name or use /self-hosted-crypto
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.1

- Added explicit environment variable requirements for `CRYPTO_MASTER_MNEMONIC` and `CRON_SECRET` in the skill manifest. - Updated installation instructions to include `qrcode` and `@types/qrcode` as required dependencies. - No code changes; documentation and setup process are now more precise for easier onboarding and configuration.

v1.0.0

Self-hosted crypto payments for Next.js + Supabase apps — complete, no third-party required. - Adds production-ready, self-custodied crypto checkout supporting 25+ coins across 9 blockchains (ETH, BTC, SOL, USDC, USDT, and more). - No payment processor fees; all addresses derived and managed in-app using a single mnemonic (HD wallet). - Implements on-chain polling via a cron job to securely confirm payments (no reliance on webhooks). - Modular checkout handles credits, plan changes, and resource add-ons—with server-side pricing enforced. - Includes setup docs, ready-to-copy API/routes/components, and security notes for fast integration. - Fully customisable: supported coins, fulfillment logic, payment window, and more.

Metadata

Slug self-hosted-crypto

Version 1.0.1

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 2

Frequently Asked Questions

What is Self-hosted Crypto Payment?

Add self-custodied crypto payment checkout to a Next.js + Supabase app. Accepts ETH, BTC, SOL, USDC, USDT and 25+ coins across 9 chains. No payment processor... It is an AI Agent Skill for Claude Code / OpenClaw, with 116 downloads so far.

How do I install Self-hosted Crypto Payment?

Run "/install self-hosted-crypto" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Self-hosted Crypto Payment free?

Yes, Self-hosted Crypto Payment is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Self-hosted Crypto Payment support?

Self-hosted Crypto Payment is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Self-hosted Crypto Payment?

It is built and maintained by Flacko2048 (@flacko2048); the current version is v1.0.1.

More Skills