← Back to Skills Marketplace
2839
Downloads
0
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install tron-x402-payment
Description
Pay for x402-enabled Agent endpoints using TRC20 tokens (USDT/USDD) on TRON
Usage Guidance
This skill implements on-chain TRC20 payments and therefore needs a TRON private key (and optionally a TronGrid API key for mainnet). Before installing or running: 1) Expect the tool to search environment variables and local files (~/.mcporter/mcporter.json, x402-config.json/.x402-config.json) for keys — if you keep other secrets in those files, the tool will read them. 2) Prefer supplying a dedicated ephemeral/testnet private key via TRON_PRIVATE_KEY (or use the --check mode) rather than storing your mainnet keys in shared configs. 3) Review the included dist/src code locally (it’s provided) and verify no unexpected network endpoints are contacted beyond the agent URL and TronGrid. 4) Be cautious about autonomous invocation: if the agent can call this skill without your confirmation, a compromised agent could attempt payments. 5) If unsure, test on nile/shasta with minimal funds and do not install on systems that store unrelated secrets in the checked config paths.
Capability Analysis
Type: OpenClaw Skill
Name: tron-x402-payment
Version: 1.0.0
This skill is classified as suspicious due to its handling of sensitive financial credentials and the execution of high-risk blockchain transactions. The `src/x402_tron_invoke.ts` script accesses the `TRON_PRIVATE_KEY` from environment variables and local configuration files (`~/.mcporter/mcporter.json`, `x402-config.json`), which is a sensitive operation. Furthermore, the skill is designed to perform TRC20 token payments, including an 'infinite approval' if the allowance is insufficient, which grants ongoing spending permission for the specified token. While the `SKILL.md` documentation and the TypeScript code include explicit security rules and sanitization to prevent private key leakage, the inherent risks associated with managing private keys and performing irreversible financial transactions warrant a 'suspicious' classification.
Capability Assessment
Purpose & Capability
The name/description (x402 TRC20 payments) aligns with the implemented functionality: the tool uses tronweb and an x402 client to sign payments and invoke agent endpoints. However, the registry metadata lists no required env vars while the SKILL.md and code clearly expect TRON_PRIVATE_KEY (and optionally TRON_GRID_API_KEY). That mismatch between declared requirements and actual code is a material inconsistency.
Instruction Scope
SKILL.md and the code instruct the tool to locate a private key and API key by checking: environment variables, current/home x402-config.json (and .x402-config.json in source), and ~/.mcporter/mcporter.json (iterating mcpServers entries). Reading these local config files is outside a minimal 'invoke agent' action and increases the credential surface — the tool will silently inspect local files for secrets. The tool also redirects console.log to console.error (so library debug output, possibly including signing details, will be emitted to stderr). Network calls are to the provided agent URL and TronGrid (expected for payments).
Install Mechanism
There is no remote download/install step; the package includes source and a compiled dist bundle. Dependencies are standard/npm packages (tronweb, @open-aibank/x402-tron). No evidence of arbitrary URL downloads or extract/install of remote archives.
Credentials
Requesting a TRON private key and a TronGrid API key is proportionate for a payment tool. But the code's behavior — searching multiple local files (including ~/.mcporter/mcporter.json and scanning mcpServers objects) — broadens where secrets may be read from. Also the published registry metadata not listing required env vars is inconsistent and may mislead users about what credentials will be accessed.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It permits autonomous invocation by default (platform default). That combination is expected for a payment/invoke tool, but because it can access private keys, autonomous invocation increases potential blast radius — consider this when enabling for agents that can act without user confirmation.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install tron-x402-payment - After installation, invoke the skill by name or use
/tron-x402-payment - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
tron-x402-payment 1.1.0 introduces new documentation and usability features.
- Updated SKILL.md with detailed usage instructions, quick start guide, security recommendations, examples, cost tables, troubleshooting guides, and token/network references.
- Added comprehensive explanation for wallet setup, environment variable handling, and agent endpoint invocation modes.
- Included do's and don'ts for secure handling of private keys and sensitive data.
- Provided guidance for handling 402 responses and payment workflow.
- Added command usage examples for multiple scenarios (v2 APIs, discovery, legacy endpoints, and status checking).
Metadata
Frequently Asked Questions
What is tron-x402-payment?
Pay for x402-enabled Agent endpoints using TRC20 tokens (USDT/USDD) on TRON. It is an AI Agent Skill for Claude Code / OpenClaw, with 2839 downloads so far.
How do I install tron-x402-payment?
Run "/install tron-x402-payment" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is tron-x402-payment free?
Yes, tron-x402-payment is completely free (open-source). You can download, install and use it at no cost.
Which platforms does tron-x402-payment support?
tron-x402-payment is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created tron-x402-payment?
It is built and maintained by AiBank (@wzc1206); the current version is v1.0.0.
More Skills