← Back to Skills Marketplace
Soho
by
SULEMAN ISMAILA
· GitHub ↗
· v2.0.0
417
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install soho-pay
Description
Initiate payments on the SOHO Pay credit layer using EIP-712 signatures.
Usage Guidance
This skill appears to implement exactly what it claims (EIP‑712 orchestration and on‑chain settlement) — but check a few things before installing/running: 1) Verify the registry metadata mismatch: skill.json / SKILL.md require RPC_URL, CHAIN_ID, and SIGNER_PROVIDER — make sure you supply and protect those env vars. 2) Only point WALLET_SIGNER_SERVICE_URL at a trusted, user‑controlled MPC/HSM/signing service and keep SIGNER_SERVICE_AUTH_TOKEN secret; audit that service’s /sign-eip712 and /send-tx endpoints. 3) Never use SOHO_DEV_PRIVATE_KEY on mainnet; the code enforces this but double-check CHAIN_ID and DEV_ALLOW_LOCAL_KEY before running. 4) Confirm the platform invocation settings — although the skill is written to be manual-invocation-only, the platform flag you were shown suggests autonomous invocation is permitted; ensure the platform honors manual-only invocation or that you don’t enable autonomous runs. 5) Note the declared SOHO_API_URL is not used by the code — ask the author if that’s intentional. 6) Because package.json exists, running locally requires npm install; review dependencies and the contract addresses in config before sending real funds. If anything above is unclear, ask the skill author for clarifications and an integrity checksum for the package files.
Capability Analysis
Type: OpenClaw Skill
Name: soho-pay
Version: 2.0.0
The OpenClaw AgentSkills bundle is designed for orchestrating payments on a credit layer and exhibits a strong security-first design. Key security features include explicit manual invocation and user confirmation requirements enforced by both metadata (`SKILL.md`, `skill.json`) and a runtime guard (`scripts/pay.js`). The skill strictly separates key custody, stating it never holds private keys, delegating signing to user-controlled wallet signers (local dev key or remote MPC/HSM). Robust environment variable validation using Zod (`src/config.js`) prevents misconfiguration, and the use of local private keys is strictly gated to testnets by default. Input sanitization for `merchantAddress` prevents address spoofing, and all external network calls are to user-configured URLs with proper authentication. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts against the agent.
Capability Assessment
Purpose & Capability
The skill is a payment orchestrator for the SOHO credit layer and its code requires RPC access, chain selection, and a wallet-signing backend (remote or local). Those requirements are appropriate for the described purpose. However, the registry metadata supplied to you earlier claims no required environment variables, while skill.json and SKILL.md declare multiple required env vars (RPC_URL, CHAIN_ID, SIGNER_PROVIDER, etc.) — that's an upstream metadata mismatch to verify.
Instruction Scope
Runtime instructions (scripts/pay.js and SKILL.md) restrict actions to: config validation, pre-flight credit checks on-chain, requesting EIP‑712 signatures from a user-controlled signer, and submitting spendWithAuthorization to the Creditor contract. The skill does not attempt to read unrelated files or exfiltrate secrets. Note: SOHO_API_URL is declared in config but is not actually used by the code — this is a scope/inconsistency but not an obvious data-exfiltration issue.
Install Mechanism
There is no installer specified (instruction-only from platform perspective), but code files and package.json dependencies exist. Running the skill locally will require installing Node deps (ethers, dotenv, zod). No suspicious remote download or obscure install URL is present.
Credentials
The environment variables declared (RPC_URL, CHAIN_ID, SIGNER_PROVIDER, optional WALLET_SIGNER_SERVICE_URL and SIGNER_SERVICE_AUTH_TOKEN, and a dev private key for local testing) align with the skill's needs. Sensitive values (SIGNER_SERVICE_AUTH_TOKEN, SOHO_DEV_PRIVATE_KEY) are marked sensitive in skill.json. There are no unrelated credentials requested.
Persistence & Privilege
The skill is not marked always:true and skill.json + SKILL.md indicate manual invocation with require_confirmation. The runtime script also refuses to run when SOHO_AUTONOMOUS env is set. However, the platform-level flags you were shown indicate disable-model-invocation: false (the platform default), which could allow the platform to attempt autonomous invocation; the skill defends itself by aborting in that case, but you should confirm that the platform honors the skill's manual-invocation intention and that operators do not override it.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install soho-pay - After installation, invoke the skill by name or use
/soho-pay - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.0.0
**Major refactor of soho-pay to v2.0.0, with a new modular codebase and enhanced signing architecture.**
- Modularized signer logic into separate files for local and remote wallet signer providers.
- Added comprehensive configuration handling and input validation.
- Improved project structure: added package and skill metadata files; removed legacy docs.
- Enforced stricter security boundaries: never exposes or passes signing keys to SoHo; supports only explicit EVM addresses for merchants.
- Clarified usage patterns for both local dev and production (MPC/HSM) signing flows.
v1.0.1
SOHO Pay v1.0.1 — Initial Release
- Orchestrates secure payments on the SOHO Pay credit layer via EIP-712 signatures and the Creditor smart contract.
- Enforces strict three-party separation: Wallet Signer (user-controlled), SoHo (credit checks/JIT funding), Blockchain (settlement).
- Supports only explicit merchant EVM addresses—never derives from names.
- Confirms manual invocation only; always requires explicit user confirmation before executing payments.
- Implements strong mainnet and key custody safeguards by defaulting to remote signing (MPC/HSM) and gating local key usage to testnets.
- Provides clear contract addresses and environment variable requirements for deployment on Base Sepolia (testnet) and Base Mainnet (with confirmation).
Metadata
Frequently Asked Questions
What is Soho?
Initiate payments on the SOHO Pay credit layer using EIP-712 signatures. It is an AI Agent Skill for Claude Code / OpenClaw, with 417 downloads so far.
How do I install Soho?
Run "/install soho-pay" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Soho free?
Yes, Soho is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Soho support?
Soho is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Soho?
It is built and maintained by SULEMAN ISMAILA (@max-clinch); the current version is v2.0.0.
More Skills