← Back to Skills Marketplace
Clawpay
by
mmchougule
· GitHub ↗
· v0.1.0
1553
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install clawpay-2
Description
Private payments for AI agents - no on-chain link between sender and recipient
README (SKILL.md)
ClawPay 🦞
Send money privately. Recipient sees funds from Railgun - can't trace back to you.
Just Run It
Prerequisites: You need a wallet private key with USDT on BSC.
Save this as send-private.mjs and run with node send-private.mjs:
// send-private.mjs - Copy this entire file and run it
import { Wallet, JsonRpcProvider, Contract, parseUnits } from 'ethers';
// ============ CONFIGURE THESE ============
const PRIVATE_KEY = process.env.WALLET_KEY || '0xYOUR_PRIVATE_KEY';
const RECIPIENT = '0xRECIPIENT_ADDRESS';
const AMOUNT = '0.10'; // USDT amount
// =========================================
const API = 'https://clawpay.dev';
const BSC_RPC = 'https://bsc-dataseed.binance.org/';
const USDT = '0x55d398326f99059fF775485246999027B3197955';
const SIGN_MSG = 'b402 Incognito EOA Derivation';
async function sendPrivate() {
const provider = new JsonRpcProvider(BSC_RPC);
const wallet = new Wallet(PRIVATE_KEY, provider);
const myAddress = wallet.address;
console.log('Sending', AMOUNT, 'USDT privately to', RECIPIENT);
console.log('From wallet:', myAddress, '\
');
// 1. Sign message
console.log('1. Signing...');
const signature = await wallet.signMessage(SIGN_MSG);
// 2. Get invoice address
console.log('2. Getting invoice...');
const invoiceRes = await fetch(
API + '/invoice?eoa=' + myAddress + '&signature=' + encodeURIComponent(signature)
);
const { invoiceAddress } = await invoiceRes.json();
console.log(' Invoice:', invoiceAddress);
// 3. Transfer USDT to invoice
console.log('3. Transferring USDT to invoice...');
const usdt = new Contract(USDT, ['function transfer(address,uint256) returns (bool)'], wallet);
const tx = await usdt.transfer(invoiceAddress, parseUnits(AMOUNT, 18));
console.log(' TX:', tx.hash);
await tx.wait();
// 4. Execute private transfer
console.log('4. Executing private transfer...');
const transferRes = await fetch(API + '/transfer', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
eoa: myAddress,
signature,
recipient: RECIPIENT,
amount: AMOUNT,
token: 'USDT'
})
});
const result = await transferRes.json();
if (result.transferId) {
console.log('\
✓ SUCCESS!');
console.log('Transfer ID:', result.transferId);
console.log('Status:', result.status);
console.log('\
Recipient gets funds from Railgun in ~60 seconds.');
console.log('They CANNOT see your wallet address.');
console.log('\
Check status: curl ' + API + '/status/' + result.transferId);
} else {
console.log('Error:', result.error);
}
}
sendPrivate().catch(console.error);
Run it:
npm install ethers
WALLET_KEY=0xYourPrivateKey node send-private.mjs
How It Works
YOU CLAWPAY API RECIPIENT
│ │ │
├── USDT to invoice ──────►│ │
│ │ │
├── Sign message ─────────►│ │
│ │ │
├── POST /transfer ───────►│ │
│ ├── Shield (Railgun) ─────►│
│ ├── ZK Proof (~60s) ──────►│
│ ├── Unshield ─────────────►│
│ │ │
│ │ Funds from "Railgun" │
│ │ NO LINK TO YOU │
API Reference
Base URL: https://clawpay.dev
| Endpoint | Method | Description |
|---|---|---|
/health |
GET | API status |
/invoice?eoa=...&signature=... |
GET | Get your invoice address |
/transfer |
POST | Send private payment |
/status/:id |
GET | Check transfer status |
/balance?eoa=...&signature=...&token=USDT |
GET | Check shielded balance |
/faucet |
POST | Get BNB for gas (testnet) |
POST /transfer
{
"eoa": "0xYourAddress",
"signature": "0xSignedMessage...",
"recipient": "0xRecipientAddress",
"amount": "1.00",
"token": "USDT"
}
Response:
{
"transferId": "tx_123...",
"status": "pending",
"message": "Transfer initiated"
}
Status flow: pending → shielding → proving → complete
No Private Key? Use Bankr Wallet
If you're an agent without direct wallet access, use Bankr:
// 1. Get your wallet from Bankr
const bankrWallet = await bankr.getWallet();
// 2. Sign the ClawPay message
const signature = await bankr.signMessage('b402 Incognito EOA Derivation');
// 3. Use signature with ClawPay API
// (same flow as above)
Supported Tokens (BSC)
| Token | Address |
|---|---|
| USDT | 0x55d398326f99059fF775485246999027B3197955 |
| USDC | 0x8AC76a51cc950d9822D68b83fE1Ad97B32Cd580d |
Need Gas?
curl -X POST https://clawpay.dev/faucet \
-H "Content-Type: application/json" \
-d '{"address": "0xYourAddress"}'
Troubleshooting
| Error | Fix |
|---|---|
| "Insufficient balance" | Transfer USDT to invoice first |
| "Signature does not match" | Sign exact message: b402 Incognito EOA Derivation |
| "No spendable UTXOs" | Wait 2 min after funding invoice |
Privacy for the agent economy | Built on Railgun | https://clawpay.dev
Usage Guidance
Before using this skill: (1) Understand the trust model — the script sends USDT to an invoice address returned by https://clawpay.dev and then asks that service to shield/unshield; you are trusting that operator with your funds and the privacy claim. (2) Do not paste your private key into unknown code or into environment variables on shared machines. Prefer a hardware wallet, an in-process signing flow, or the referenced Bankr wallet (verify Bankr's provenance) rather than exposing WALLET_KEY. (3) The skill metadata fails to declare that a private key is required — treat that as a red flag and ask the publisher to add explicit required env var declarations. (4) Verify the service: check clawpay.dev ownership, source code, audits of the Railgun integration, and community reputation before sending real funds. (5) Test with a very small amount first and inspect the returned invoice address and API responses. (6) If you allow agent autonomy, restrict this skill from running without explicit user confirmation because it can initiate on-chain transfers when provided with signing credentials.
Capability Analysis
Type: OpenClaw Skill
Name: clawpay-2
Version: 0.1.0
The skill instructs the AI agent to directly handle and use a private key (via `process.env.WALLET_KEY` or hardcoded) to perform financial transactions on the blockchain. The `SKILL.md` file contains a JavaScript script (`send-private.mjs`) that uses this private key to sign messages and transfer USDT to an external service (`https://clawpay.dev`). While the stated purpose is to facilitate private payments, requiring an agent to manage and utilize a private key for direct blockchain transactions represents a very high-risk capability and broad permission, even without clear evidence of intentional malicious redirection of funds within the provided code.
Capability Assessment
Purpose & Capability
The name/description (private payments via Railgun) match the runtime instructions: sign a wallet message, send USDT to an invoice address, and call clawpay.dev endpoints to shield/unshield. However the skill metadata declares no required credentials or env vars while the runtime instructions explicitly require a wallet private key (WALLET_KEY). That omission is an incoherence between claimed requirements and actual needs.
Instruction Scope
SKILL.md contains clear, concrete runtime steps (node script, sign message, call API endpoints, transfer tokens to invoice). It does not instruct the agent to read unrelated files or system secrets beyond the wallet key. The instructions do require executing user-supplied JS and making network calls to clawpay.dev, which is expected for this purpose.
Install Mechanism
This is instruction-only (no install spec, no downloaded code). The user is told to run npm install ethers and execute the provided script locally — the install surface is small and transparent.
Credentials
The runtime requires a wallet private key (WALLET_KEY) but the skill metadata lists no required env vars or primary credential. Requesting a private key is proportionate to making payments, but the metadata omission is misleading and increases risk (users or agents may not realize a secret is needed). Also relying on an external API (clawpay.dev) means the service operator can control the invoice addresses and the shielding flow — users must trust that operator with custody or routing of funds.
Persistence & Privilege
The skill does not request persistent presence (always:false), does not modify other skills or system configs, and has no install actions. Autonomous invocation is allowed by default on the platform; that is normal but raises general caution when combined with credential access (see guidance).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install clawpay-2 - After installation, invoke the skill by name or use
/clawpay-2 - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
- Major update: SKILL.md rewritten for version 1.1.0 with detailed usage, API reference, and troubleshooting.
- Added complete usage guide including sample Node.js script for sending private USDT payments.
- Expanded API documentation with all endpoint descriptions and example payloads.
- Included quickstart instructions, prerequisites, and support for Bankr wallet flows.
- Provided guidance for common errors and testnet faucet usage.
- Enhanced clarity around privacy features and supported tokens.
Metadata
Frequently Asked Questions
What is Clawpay?
Private payments for AI agents - no on-chain link between sender and recipient. It is an AI Agent Skill for Claude Code / OpenClaw, with 1553 downloads so far.
How do I install Clawpay?
Run "/install clawpay-2" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Clawpay free?
Yes, Clawpay is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Clawpay support?
Clawpay is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Clawpay?
It is built and maintained by mmchougule (@mmchougule); the current version is v0.1.0.
More Skills