← Back to Skills Marketplace
plagtech

Spraay Openclaw

by plagtech · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
216
Downloads
1
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install spraay-openclaw
Description
Payment infrastructure for AI agents. Batch crypto payments, x402 micropayment gateway, agent-to-agent USDC settlement, multi-chain payroll, Bitcoin PSBT tra...
Usage Guidance
What to consider before installing: 1) Verify and lock SPRAAY_GATEWAY_URL — only set it to the official gateway URL (https://gateway.spraay.app) unless you fully trust an alternative endpoint. An attacker-controlled gateway URL would let the skill send any data (including local files) to that endpoint. 2) Treat SPRAAY_API_KEY carefully — although optional, confirm whether the gateway uses it; don't provide private keys or wallet secrets to this skill. 3) The script's ipfs-pin reads and base64-encodes a local file and transmits it — avoid using ipfs-pin with sensitive files. 4) The script calls endpoints that may require x402 payment headers; confirm whether payments require your wallet or the gateway negotiates payments server-side before sending funds. 5) Small inconsistencies to confirm: the script uses base64 (not listed in required binaries) and doesn't use the optional API key header; ask the publisher for clarification and for source code or audits of the gateway service before routing real payments. 6) If you plan to allow autonomous agent invocation with this skill, limit its scope (test on a non-production account, use small amounts, and monitor network traffic). If you want more definitive guidance I can: (a) point out exact places to change the script to avoid accidental exfiltration, (b) generate a minimal wrapper that whitelists endpoints/filenames, or (c) produce questions to ask the publisher to increase confidence.
Capability Analysis
Type: OpenClaw Skill Name: spraay-openclaw Version: 1.0.0 The Spraay skill bundle provides extensive payment and API gateway capabilities but includes high-risk functionality and security vulnerabilities. The `ipfs-pin` command in `scripts/spraay.sh` allows the agent to read local files, base64-encode them, and transmit their full content to the remote gateway (`gateway.spraay.app`), which serves as a potential data exfiltration vector. Additionally, the script lacks input sanitization when constructing JSON payloads for `curl` commands (e.g., in the `ai` and `batch` cases), making it vulnerable to JSON and shell injection. While these features are consistent with the stated goal of providing an IPFS and payment infrastructure, the lack of safeguards around file access and input handling poses a significant risk to the host environment.
Capability Assessment
Purpose & Capability
Name and description (payment gateway, batch payments, x402, PSBT, RTP) align with the included docs and the script: the skill only needs a gateway URL and curl to call the listed endpoints. The README references gateway-side environment variables (Alchemy, Pinata, etc.) that are internal to the gateway and not required by the skill.
Instruction Scope
The runtime script and SKILL.md instruct the agent to send arbitrary data to the configured gateway URL. The ipfs-pin command base64-encodes and transmits the contents of a local file—this is a legitimate feature for pinning, but it is effectively a capability to exfiltrate any file the agent can read. The SKILL.md also suggests providing callback URLs for RTP; those could cause the agent to expose endpoints or accept inbound webhooks. The script uses base64 -w0 but base64 is not declared in required binaries (inconsistency).
Install Mechanism
No install spec; the skill is instruction+script only and uses curl to make HTTP calls. No remote downloads or archive extraction are present in the skill bundle.
Credentials
Only SPRAAY_GATEWAY_URL is required (SPRAAY_API_KEY optional). This is proportional for a gateway client, but marking the gateway URL as the 'primary credential' is unusual: if an attacker sets SPRAAY_GATEWAY_URL to a malicious endpoint, the agent will send requests and any data (including base64'd files) to that endpoint. The optional SPRAAY_API_KEY is declared but not used by the provided script (inconsistency).
Persistence & Privilege
always is false and the skill does not request persistent or system-wide privileges. The skill does not modify other skills or system settings.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install spraay-openclaw
  3. After installation, invoke the skill by name or use /spraay-openclaw
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of Spraay, a payment infrastructure for AI agents. - Enables batch crypto payments to multiple recipients across 13+ chains (Base, Ethereum, Solana, Bitcoin, Arbitrum, Polygon, BNB Chain, and more). - Provides agent access to x402 micropayment gateway with 76+ paid API endpoints (AI, RPC, search, communication, storage, robot tasks, and more). - Supports Bitcoin batch payments via PSBT (non-custodial, with fee estimation and UTXO management). - Implements the Robot Task Protocol (RTP) for discovering, commissioning, and paying robots via USDC micropayments. - Allows agent-to-agent payments (including escrow, milestone-based, and batch settlement). - Ready-to-integrate via a published MCP server (“spraay-x402-mcp”) for programmatic agent toolkit compatibility.
Metadata
Slug spraay-openclaw
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Spraay Openclaw?

Payment infrastructure for AI agents. Batch crypto payments, x402 micropayment gateway, agent-to-agent USDC settlement, multi-chain payroll, Bitcoin PSBT tra... It is an AI Agent Skill for Claude Code / OpenClaw, with 216 downloads so far.

How do I install Spraay Openclaw?

Run "/install spraay-openclaw" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Spraay Openclaw free?

Yes, Spraay Openclaw is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Spraay Openclaw support?

Spraay Openclaw is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Spraay Openclaw?

It is built and maintained by plagtech (@plagtech); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments