← 返回 Skills 市场
A2A Payments
作者
Lê Minh Hiếu
· GitHub ↗
· v2.0.1
581
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install a2a-payments
功能描述
Blockchain USDC payments via APay — pay services, manage budgets, open streaming channels, and handle x402 protocol.
使用说明 (SKILL.md)
A2A Payments (APay)
Blockchain-native USDC payments for AI agents on Base chain. Pay for services, manage budgets, and handle micropayments.
Quick Start
Check your balance:
Use apay_check_balance to see my USDC balance
Pay a service:
Use apay_pay_service with serviceId "svc-123" and amount "0.50"
Available Tools
Balance & Budget
| Tool | Description |
|---|---|
apay_check_balance |
Check USDC balance, daily budget, spending limits |
apay_budget_check |
Verify if a specific amount is affordable |
apay_spending_history |
Get spending analytics and history |
Payments
| Tool | Description |
|---|---|
apay_pay_service |
Pay a service (agent pays gas) |
apay_pay_signed |
Gasless signed payment (server submits on-chain) |
apay_estimate_cost |
Estimate cost including 0.5% platform fee |
Services
| Tool | Description |
|---|---|
apay_list_services |
List available APay services |
apay_get_service |
Get detailed service info |
Payment Channels (Streaming)
| Tool | Description |
|---|---|
apay_channel_status |
Check channel status |
apay_stream_open |
Open channel with USDC deposit |
apay_stream_pay |
Sign off-chain micropayment |
apay_stream_close |
Close channel (refund unspent) |
x402 Protocol
| Tool | Description |
|---|---|
apay_x402_fetch |
Fetch URL with automatic x402 payment on HTTP 402 |
Workflows
Pay for a tool execution
apay_budget_check— verify affordabilityapay_estimate_cost— see total with feesapay_pay_service— execute payment- Receive payment receipt with tx hash
Streaming micropayments
For services that charge per-request (API calls, data feeds):
apay_stream_open— deposit USDC into channelapay_stream_pay— sign micropayments (off-chain, instant)apay_stream_close— settle on-chain, refund remainder
x402 auto-payment
For services using the HTTP 402 payment protocol:
Use apay_x402_fetch with url "https://api.example.com/premium/data" and maxPayment "1.00"
The tool automatically detects 402 responses, pays the required amount, and retries the request.
Network
- Chain: Base (Coinbase L2)
- Stablecoin: USDC (6 decimals)
- Model: Escrow-based sessions with spending limits
- Testnet: base-sepolia for development
安全使用建议
Do not install this skill until you verify how payments are authorized and where signing happens. Ask the publisher for documentation showing: (1) whether payments are signed client-side (and how private keys are provided/stored) or server-side (and what API credentials are required), (2) what safeguards prompt for user consent and enforce spending limits, and (3) the npm package source, version, and audit info. If you proceed, test only on the specified testnet, restrict any credentials to least privilege, and review the @a2a/openclaw-plugin package contents (or its source repository) before granting it network or wallet access.
功能分析
Type: OpenClaw Skill
Name: a2a-payments
Version: 2.0.1
The skill is classified as suspicious due to its inherent high-risk capabilities, even though they align with its stated purpose. The `SKILL.md` instructs the agent to install an external Node.js package (`@a2a/openclaw-plugin`), introducing a supply chain risk. More critically, the skill provides tools like `apay_pay_service` and `apay_pay_signed` for initiating financial transactions, and `apay_x402_fetch` which allows the agent to fetch arbitrary URLs. The ability to make payments and fetch arbitrary URLs represents a significant vulnerability risk (e.g., SSRF via `apay_x402_fetch` or financial loss via payment tools) if the agent is compromised or instructed maliciously, even without explicit malicious intent in the skill's instructions themselves.
能力评估
Purpose & Capability
The skill's stated purpose is making on-chain USDC payments, opening streaming channels, and auto-paying HTTP 402 endpoints. Those actions normally require a signing key or an API/service credential, yet the skill declares no required environment variables, no wallet configuration, and no primary credential. This is incoherent: either the plugin/service needs access to private keys or server-side signing, or the metadata is incomplete.
Instruction Scope
SKILL.md instructs the agent to 'use' apay_* tools (check balance, pay services, auto-pay 402 responses) but is vague about confirmation flows, consent, or limits. The x402 auto-payment description implies automatic detection of 402 responses and paying/retrying requests — a behavior that could cause unexpected spending if consent/limits are not enforced. The instructions do not reference reading local files or extra env vars, but the high-level guidance grants broad authority to execute payments without explicit safety steps.
Install Mechanism
The install spec is an npm package (@a2a/openclaw-plugin). Using npm is a common pattern and not inherently malicious, but it means arbitrary code from the package will run in the agent environment. No homepage, publisher information, or checksum is provided in the skill metadata, so the package's provenance and contents should be inspected before installing.
Credentials
No environment variables, keys, or API tokens are declared despite the need to authorize and sign payments. This absence is disproportionate to the stated functionality. If the plugin relies on a remote service to sign payments, that service should require and declare credentials; if it expects local wallets, the skill should declare how keys are provided. The current metadata gives no justification for the missing credentials.
Persistence & Privilege
The skill does not request always:true and keeps default autonomous invocation. Autonomous invocation plus the ability to send payments increases risk because the agent could act without a user prompt. The skill lacks documentation of required user confirmations or spending safeguards, which combined with autonomous invocation is notable but not itself a configuration error.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install a2a-payments - 安装完成后,直接呼叫该 Skill 的名称或使用
/a2a-payments触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.0.1
APay USDC payment tools for AI agents on Base chain. Budget management, service payments, streaming channels, and x402 protocol support.
v2.0.0
Initial release — APay blockchain USDC payments with 13 tools on Base mainnet
元数据
常见问题
A2A Payments 是什么?
Blockchain USDC payments via APay — pay services, manage budgets, open streaming channels, and handle x402 protocol. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 581 次。
如何安装 A2A Payments?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install a2a-payments」即可一键安装,无需额外配置。
A2A Payments 是免费的吗?
是的,A2A Payments 完全免费(开源免费),可自由下载、安装和使用。
A2A Payments 支持哪些平台?
A2A Payments 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 A2A Payments?
由 Lê Minh Hiếu(@paparusi)开发并维护,当前版本 v2.0.1。
推荐 Skills