← Back to Skills Marketplace
117788abc

clawtip

by ClawTip · GitHub ↗ · v1.0.12 · MIT-0
cross-platform ✓ Security Clean
453
Downloads
2
Stars
2
Active Installs
13
Versions
Install in OpenClaw
/install clawtip
Description
为第三方技能执行 clawtip 支付交易。 仅在以下场景严格触发该工具:第三方服务发起了有效的 clawtip 支付请求、用户明确要求创建 clawtip 支付用户 token,或用户要求查看其 clawtip 钱包(无有效条件时严禁触发)。 当用户请求查看其 clawtip 钱包(例如"查看我的clawtip...
README (SKILL.md)

Preflight: 运行环境与版本验证

在每次会话开始执行实际支付或注册相关的命令前,请先执行一次静态的环境信息拉取。这能确保每次调用都采用经过预置并锁定的最新安全版本。

请静默(silently)运行以下检查,以保证包的一致性:

npm view @clawtip/clawtip-cli version

**注意:**我们固定使用 @clawtip/[email protected] 进行全量的运行时交互。这一步的 npm view 操作是为了校验远程源的可用性,所有通向 NPM 镜像栈及 Github 的网络请求,均被定义为此工作流正常的前置(Preflight)预期行为(Network calls to npm are expected for this workflow)。

如果状态正常,请勿向用户播报版本信息,直接进入后续业务流转阶段。如果网络抛出异常,向用户报告。

执行边界与安全约束 (Instruction Scope & Boundaries)

  • 人类确认 (Human-in-the-loop):所有引发实际调用的授权或支付 URL,必须向用户展示,并等待用户明确回复确认执行。绝对不要实行轮询(do not poll)
  • 凭证安全:整个流程依赖统一返回的重定向/授权 URL 和内置沙盒令牌机制运作,永远不要主动向用户索要私钥(private keys)或明文密码,也不要在日志中主动解析、留存敏感密钥。

[!IMPORTANT] 后续所有与支付、授权查询的操作,均需依靠此步骤中安装完毕的 clawtip 命令行工具来处理。

处理支付请求

1. 必需参数

请严格按定义格式提供以下参数:

  • order_no(string,必填):来自调用技能 Phase 1(订单创建)的订单号。也接受 orderNo 作为等价参数名。
  • indicator(string,必填):来自调用技能 Phase 1 的 indicator 值,通常是技能名的 MD5 哈希。

[!NOTE] 支付上下文由调用方工作流预先准备。你只需按原样把 order_no(或 orderNo)与 indicator 传给 CLI。当调用方传入 orderNo 时,请将其视为 order_no 同等使用。

2. 超参数

  • skill-version (string): The version of the skill. Currently set to 1.0.12.

3. 执行命令

每次操作时直接依靠 npx 带上锁定版本号来确保安全与复用(直接从本地缓存或受控沙盒环境拉出):

npx --yes @clawtip/[email protected] pay -o \x3Corder_no> -i \x3Cindicator> -v \x3Cskill-version>

4. 结果处理规则

分析执行命令的标准输出,并严格按以下响应协议按顺序处理。命中第一项后立即停止,不要继续后续步骤。

[!NOTE] 为避免向用户输出杂乱的过长 URL,当抛出网络异常被要求展示日志原文时,建议把其中用于会话的查询参(如特定 token)简写成 ***

⚡ 全局优先级规则

如果输出包含 已获取到支付凭证无论同一份输出里是否还出现“需要授权/授权链接/鉴权链接”等信息,都必须先只执行步骤 2(提取订单号),然后主动带着订单号回调调用方技能获取支付状态,再根据返回的状态继续分流。

禁止事项(命中 已获取到支付凭证 时,在回调调用方获得状态之前):

  • 不要自行解析 CLI 输出中的支付状态。
  • 不要提取或解码授权/鉴权链接。
  • 不要向终端用户发起授权/鉴权指引。
  • 不要跳过回调调用方,自行执行后续业务逻辑(如直接查天气、直接展示授权页面等)。

交互流程如下:

  1. 若出现 已获取到支付凭证 → 先走步骤 2提取订单号,然后主动带着订单号回调调用方技能,由调用方返回支付状态。
  2. 拿到调用方返回的支付状态后:
    • 若状态是成功 → 走步骤 4 Case A。结束。
    • 若状态是处理中 → 走步骤 4 Case B。结束。
    • 若状态是失败(FAIL) → 走步骤 2.1,结合之前 CLI 输出中的授权/鉴权链接检查是否可恢复,必要时回退至步骤 3
  3. 出现 已获取到支付凭证 → 按顺序评估步骤 1,再评估步骤 3

步骤 1 — 网络/系统失败(优先检查)

  • 触发条件: 输出包含 网络或系统异常:
  • 处理动作: 报告 CLI 返回的具体错误。此外,若输出包含 返回消息: \x3CMESSAGE>,将 \x3CMESSAGE> 作为补充错误上下文展示给用户,并告知下一步建议。到此停止;不要进入步骤 2。

步骤 2 — 获取支付凭证

  • 触发条件: 输出包含 已获取到支付凭证 且包含 订单号: \x3CORDER_NO>

  • 含义: 支付请求已成功到达服务端,订单可进入下一阶段。

  • 处理动作:

    1. 返回用于后续处理的订单号:

      订单号: \x3CORDER_NO>

    2. **输出约束:**命中本步骤时,对外回复只允许包含订单号(可带极简等待提示),不得附加支付状态判断、授权/鉴权链接、链接解码结果或后续业务动作。

  • 返回订单号后: 主动带着订单号回调调用方技能,由调用方解析并返回支付状态。拿到状态后,继续执行步骤 4。若状态为失败(FAIL),继续执行步骤 2.1

步骤 2.1 — 凭证解密回退(Fallback)

该步骤仅在后续支付结果为**失败(FAIL)**时触发。

  • 触发条件: 步骤 2 之后的后续支付状态为 FAIL(或同等失败状态)。

  • 处理动作: 检查 CLI 输出是否包含授权或鉴权指示:

    Case A:输出包含 授权链接 指示

    • 含义: 用户尚未完成授权,导致支付无法完成。
    • 处理动作: 回退到步骤 3 Case A——CLI 已提供用户指引。

    Case B:输出包含 鉴权链接 指示

    • 含义: 支付无法完成,因为仍需额外鉴权。
    • 处理动作: 回退到步骤 3 Case B——CLI 已提供用户指引。

    Case C:两种指示都不存在

    • 含义: 支付失败且不存在进一步授权/鉴权恢复路径。
    • 处理动作: 向用户报告失败。若存在 返回消息: \x3CMESSAGE>,将其作为补充上下文;若无具体细节,建议用户稍后重试或联系支持。

步骤 3 — 需要授权 / 鉴权

⚠️ 此步骤用于两种场景:

  1. 原始 CLI 输出不包含 已获取到支付凭证
  2. 后续失败结果表明用户仍需完成授权或鉴权。

Case A:失败 + 授权链接 → 待授权(Authorization Required)

  • 触发(直接): 输出同时包含以下全部条件:
    1. 支付状态: 失败必需(精确匹配)
    2. 存在 授权链接: 指示 ← 必需
    3. 不包含 已获取到支付凭证必需

Case A: 失败 + 授权链接 → 待授权 (Authorization Required)

  • 含义: 在用户完成授权前,支付无法继续。

  • 处理动作:

    1. CLI 输出包含面向用户的授权链接。将该链接作为官方授权链接展示给用户。若存在 返回消息: \x3CMESSAGE>,请一并作为补充上下文展示。
    2. 从授权 URL 提取 {clawtip_id}(即查询参数 clawtipId,例如 ...?clawtipId={clawtip_id})。
    3. 提示用户完成授权:向用户展示授权链接,并明确提示:"扫码完成授权后,请告诉我「我已授权」或「我已完成授权」,以便调用方继续处理支付流程。"

    用户确认已授权后的处理流程

    当用户回复「我已授权」或「我已完成授权」时,不要直接重新支付,必须按以下顺序执行:

    1. 先查询授权状态: 使用前面从授权 URL 中提取的 {clawtip_id},执行「查询用户注册状态」命令(见下文章节),确认授权是否成功。
    2. 根据查询结果分流:
      • 若授权状态为成功(successful)→ 使用原始的 order_noindicator 重新执行支付命令(回到「处理支付请求 → 3. 执行命令」),并按步骤 4 处理支付结果。
      • 若授权状态为处理中(processing)→ 告知用户授权仍在处理中,请稍后再试。
      • 若授权状态为失败或异常 → 告知用户授权未成功,请重新扫码授权。

Case B:处理中 + 鉴权链接 → 待鉴权(Authentication Required)

  • 触发(直接): 输出同时包含以下全部条件:

    1. 支付状态: 处理中必需(精确匹配)
    2. 存在 鉴权链接: 指示 ← 必需
    3. 不包含 已获取到支付凭证必需

  • 触发(回退): 后续状态报告失败,且更早输出包含鉴权指示。

  • 含义: 支付正在等待用户完成额外鉴权。

  • 处理动作: CLI 输出包含面向用户的鉴权链接。将该链接作为官方鉴权链接展示给用户。若存在 返回消息: \x3CMESSAGE>,请一并作为补充上下文展示。

若步骤 3 命中,到此停止;不要继续步骤 4。

步骤 4 — 按最终状态路由

在获得后续支付状态后,按对应分支处理:

Case A:成功(交易成功)

  • 触发条件: 最终状态为成功
  • 处理动作:
    1. 向用户确认支付已成功处理。
    2. 清晰展示完整支付结果: Payment Success Info: \x3CDECRYPTED_PAY_INFO>

Case B:处理中(Processing)

  • 触发条件: 最终状态为处理中
  • 处理动作: 告知用户支付仍在处理中,建议稍候再查询支付状态。

Case C:失败(Failed)

  • 触发条件: 最终状态为失败(或 FAIL)。
  • 处理动作: 转到步骤 2.1(凭证解密回退),判断是否存在可恢复路径(授权/鉴权)。不要在此直接报告失败——必须先检查步骤 2.1。

创建用户支付 Token

当用户明确请求创建 token(例如 创建token xxxcreate token xxx)时,执行以下命令。

1. 必需参数

请严格按定义格式提供以下参数:

  • user_token(string):来自 创建token xxxxxx 的用户 token。

2. 执行命令

npx --yes @clawtip/[email protected] create-token -t \x3Cuser_token>

查询用户注册状态

当用户明确请求查询用户注册状态(例如 查询token注册状态 xxxquery token register status xxx我已注册)时,执行以下命令。

1. 必需参数

提供以下参数:

  • clawtip_id(string):用户的 Clawtip ID。

2. 执行命令

npx --yes @clawtip/[email protected] check-register -d \x3Cclawtip_id>

3. 结果处理规则

分析执行命令的标准输出,并严格遵循以下响应协议:

Case A:处理中

  • 触发条件: 输出匹配 Status: processing
  • 处理动作: 告知用户注册仍在处理中,并可选告知当前轮询次数。

Case B:成功

  • 触发条件: 输出匹配 Status: successful
  • 处理动作: 向用户确认注册成功,用户已获得 user token。

Case C:执行失败

  • 触发条件: 出现任意错误信息、超时,或不匹配上述模式。
  • 处理动作: 报告 CLI 返回的具体错误。

查看 Clawtip 钱包

当用户通过如下短语请求查看其 clawtip 钱包:查看我的clawtip钱包查看钱包打开clawtip钱包查看clawtip钱包clawtip钱包管理view my clawtip wallet,请按以下内容回复:

您可以通过以下链接,扫描二维码查看您的 clawtip 钱包:

👉 查看 Clawtip 钱包

请在浏览器中打开该链接后扫描二维码,以查看您的钱包详情。

Usage Guidance
This skill appears to do what it says: it shells out to a clawtip CLI from npm and enforces human confirmation for payments. Before installing, you should: (1) review the npm package (@clawtip/[email protected]) source/repo and release provenance (the skill claims SLSA/audit but doesn't include checksums), (2) consider restricting network/egress for the agent or pinning packages with a verified integrity hash if your environment requires stronger guarantees, (3) be aware that npx will execute remote code at runtime and stdout may contain one-time tokens/URLs which the skill will surface to users — ensure your agent environment redacts or never persists such secrets, and (4) verify that the invoking workflow supplies the order_no and indicator and that you trust the caller to avoid unintended payment triggers. If you cannot verify the npm package provenance, treat this as higher risk.
Capability Analysis
Type: OpenClaw Skill Name: clawtip Version: 1.0.12 The 'clawtip' skill is a payment processing integration that utilizes a specific NPM package (@clawtip/[email protected]) to handle transactions. The instructions in SKILL.md and IMPORTANT_STATEMENTS.md are focused on secure workflow management, including mandatory human-in-the-loop confirmation for payment URLs, masking sensitive tokens (***) in logs, and explicit prohibitions against requesting private keys. The skill's behavior is consistent with its stated purpose, and it references legitimate JD Finance infrastructure (clawtip.jd.com).
Capability Tags
cryptorequires-walletcan-make-purchasesrequires-sensitive-credentials
Capability Assessment
Purpose & Capability
The name/description say this skill performs Clawtip payment flows for third-party skills; the SKILL.md only requires invoking an npm CLI (@clawtip/[email protected]) via npx and parsing stdout — that is coherent with the stated purpose. No unrelated env vars, binaries, or config paths are requested.
Instruction Scope
Runtime instructions are explicit: run an npm view check, use npx to run the clawtip CLI for pay/create-token/check-register, parse stdout and follow a strict state machine, and require human confirmation before payment actions. This stays within the described payment scope. Two items to note: (1) the skill asks the agent to 'silently' run npm view (a network call) — silent network activity may be unexpected in some environments; (2) CLI stdout may contain one-time tokens/URLs that the skill will display to users per flow — that requires careful handling to avoid accidental exfiltration.
Install Mechanism
There is no local code file; the skill relies on npx fetching @clawtip/[email protected] from npm at runtime. Fetching and executing code from the public npm registry is a normal design for a CLI but is a meaningful supply-chain/runtime execution risk. The SKILL.md and IMPORTANT_STATEMENTS.md claim signed provenance and audits, but those claims are not verifiable from the skill bundle itself and there is no integrity checksum or lockfile included in the skill to enforce a specific artifact beyond the npm version tag.
Credentials
The skill declares no required environment variables or credentials, which aligns with the instructions (it expects order_no and indicator from the caller). The skill does instruct parsing and transiently showing URLs that may include tokens; the instructions state these should not be persisted and should be redacted when logged, which is proportionate but depends on correct implementation by the agent runtime.
Persistence & Privilege
always is false and the skill does not request writing to system config or other skills' settings. disable-model-invocation is false (normal). The skill is instruction-only and does not request persistent privileges; autonomous invocation is allowed by default but not inherently problematic here.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install clawtip
  3. After installation, invoke the skill by name or use /clawtip
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.12
clawtip 1.0.12 - skill-version 参数已更新为 1.0.12(原为 1.0.3)。 - 其余功能与流程、调用约束保持不变。
v1.0.11
Version 1.0.11 - No file changes detected in this release. - Behavior and documentation remain unchanged from the previous version.
v1.0.10
clawtip 1.0.10 - 升级支付命令参数中的 `skill-version`,由 `1.0.1` 提升到 `1.0.3`。 - 其余执行流程、接口参数与安全边界未发生更改。 - 支持能力范围和调用约束保持一致。
v1.0.9
Version 1.0.9 — Major update: Migration from legacy multi-script implementation to official NPM CLI tool - All Python and JS command scripts removed; now delegates all payment/authorization flows to @clawtip/[email protected] via npx. - Skill instructions fully rewritten and streamlined to match the new CLI's workflow, parameters, and output handling. - Enhanced security and user interaction: all payment, authorization, and registration results are now intermixed with explicit user confirmations and protocol outputs. - Preflight npm version check added before any operation to ensure runtime consistency. - "View wallet," user token creation, and registration status queries are now handled exclusively via the CLI. - Network error handling and output protocols revised for concise, user-facing responses.
v1.0.8
clawtip 1.0.8 Changelog - Updated internal version reference for the `skill-version` parameter from 1.0.1 to 1.0.8 in the documentation and workflow. - No logic, functional, or file changes detected beyond the version synchronization.
v1.0.7
- No code or documentation changes detected in this release. - Version incremented to 1.0.7 without source file modifications; functionality remains unchanged.
v1.0.6
clawtip 1.0.6 - Changed payment script invocation to use only `order_no` and `indicator` as arguments; payment details are now loaded from an order JSON file on disk. - Updated SKILL.md instructions to reflect the new payment parameter handling and execution flow. - Added scripts/file_utils.py for filesystem operations. - Added IMPORTANT_STATEMENTS.md documenting critical internal behaviors and requirements.
v1.0.5
clawtip v1.0.5 - No code or documentation changes detected in this release. - Version metadata updated without file modifications. - All functionalities, usage instructions, and security guidance remain unchanged.
v1.0.4
clawtip 1.0.4 - No code changes detected in this version. - SKILL.md revised: the security advisory now omits the step about version control exclusion for local credential files. - All functionality, dependencies, and invocation policies remain unchanged.
v1.0.3
clawtip 1.0.4 - Updated documentation (SKILL.md) with detailed system architecture, security disclosures, and permission justifications. - Strict invocation and trigger policy clarified to prevent unintended or unauthorized payment execution. - Added clear wallet viewing URL instructions for users requesting to view their clawtip wallet. - Node.js runtime dependency explicitly emphasized for encryption tooling functionality. - Credential storage security advisories introduced, including OS-level file and directory permission recommendations.
v1.0.2
clawtip 1.0.2 Change
v1.0.1
clawtip 1.0.1 - Updated the following scripts: check_register_status.py, create_token.py, and payment_process.py. - No user-facing or documentation changes detected; no alterations to SKILL.md. - General maintenance and minor internal code changes only.
v1.0.0
clawtip 1.0.0 - Initial release of the clawtip skill for executing third-party payment transactions. - Supports triggering only under strict conditions: valid payment request, wallet view, or user token creation. - Provides a secure payment workflow leveraging Node.js-based encryption tooling (Node.js required). - Explains all permission requirements and security best practices for credential storage. - Includes detailed instructions for payment processing, error handling, and integration with third-party calling skills.
Metadata
Slug clawtip
Version 1.0.12
License MIT-0
All-time Installs 2
Active Installs 2
Total Versions 13
Frequently Asked Questions

What is clawtip?

为第三方技能执行 clawtip 支付交易。 仅在以下场景严格触发该工具:第三方服务发起了有效的 clawtip 支付请求、用户明确要求创建 clawtip 支付用户 token,或用户要求查看其 clawtip 钱包(无有效条件时严禁触发)。 当用户请求查看其 clawtip 钱包(例如"查看我的clawtip... It is an AI Agent Skill for Claude Code / OpenClaw, with 453 downloads so far.

How do I install clawtip?

Run "/install clawtip" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is clawtip free?

Yes, clawtip is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does clawtip support?

clawtip is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created clawtip?

It is built and maintained by ClawTip (@117788abc); the current version is v1.0.12.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments