← 返回 Skills 市场
asgcompute

ASG Card

作者 ASG Compute · GitHub ↗ · v0.2.0 · MIT-0
macoslinuxwindows ⚠ suspicious
270
总下载
1
收藏
1
当前安装
2
版本数
在 OpenClaw 中安装
/install agentcard
功能描述
Virtual MasterCards for AI agents — crypto payments, USDC wallet, create and manage virtual payment cards autonomously via x402 protocol on Stellar blockchain.
使用说明 (SKILL.md)

Agent Card — Payment Skill

Give your AI agent a virtual MasterCard. Agent Card lets agents autonomously create, fund, and manage virtual MasterCard cards by paying in USDC on the Stellar blockchain.

What It Does

  • Create cards — Issue virtual MasterCards with per-card spend limits
  • Fund cards — Top up existing cards with USDC
  • Manage cards — List, freeze, unfreeze, and inspect card details
  • On-chain payments — Every transaction uses the x402 protocol on Stellar with verifiable on-chain proof

Setup

npx @asgcard/cli onboard -y

This creates a Stellar wallet (~/.asgcard/wallet.json), configures the MCP server, and installs the payment skill. Your agent is ready to pay in under 30 seconds.

MCP Tools (9 available)

Tool Description
get_wallet_status Wallet address, USDC balance, readiness
create_card Create virtual MasterCard (x402 payment)
fund_card Top up existing card
list_cards List all wallet cards
get_card Card summary
get_card_details PAN, CVV, expiry (nonce-protected)
freeze_card Freeze a card
unfreeze_card Re-enable a card
get_pricing Current tier pricing

Use Cases

  • Pay for API credits (Anthropic, OpenAI, Google Cloud)
  • Provision cloud infrastructure (DigitalOcean, Vercel)
  • Buy domains, SaaS subscriptions, and developer tools
  • Any merchant that accepts MasterCard

Links

安全使用建议
Key points to consider before installing or providing secrets: - This skill enables an agent to perform real payments and issue virtual MasterCards. If you supply a funded Stellar private key (ASG_CARD_WALLET_SECRET) the agent can spend real USDC. Only provide a key you explicitly trust the skill with. - There is an inconsistency: the SKILL/README claim the MCP server uses a local wallet file (~/.asgcard/wallet.json) and 'no env vars needed', yet the registry metadata marks ASG_CARD_WALLET_SECRET as required/primary. That should be clarified—don't assume where your secret will be read from or stored. - The code bundle includes many runnable scripts (CLI, mcp-server, e2e, preflight). Review those scripts locally before executing. They perform network calls to api.asgcard.dev and Stellar Horizon endpoints. - A prompt-injection pattern (unicode control characters) was detected in SKILL.md. Inspect SKILL.md raw bytes; do not blindly feed it to an agent or evaluation pipeline without sanitization. Practical mitigations: - Use a dedicated, low-funded Stellar wallet for experiments. Do not use high-value keys or production treasury keys. - Prefer the local wallet file workflow (created by onboarding) over exporting a private key into global environment variables. If the skill truly needs ASG_CARD_WALLET_SECRET, prefer injecting it only into a tightly-scoped runtime environment and remove it afterwards. - Audit the onboarding CLI and mcp-server code (cli/src/wallet-client.ts, mcp-server/src/wallet-client.ts, and api/src/middleware/walletAuth.ts) to confirm where and how secrets are read, stored, and transmitted. - If you expect the skill to act autonomously, set strict spending limits at the issuer/facilitator level and monitor transactions closely. Consider adding an approval step in the agent flow (require human approval before spending beyond trivial amounts). - If you cannot audit the code or vendor, do not provide production keys; instead test with sandbox accounts. If you want, I can: (a) point to the exact files that read env vars and wallet files so you can inspect them, or (b) list the code paths that would sign or transmit transactions so you can review them in detail.
功能分析
Type: OpenClaw Skill Name: agentcard Version: 0.2.0 The Agent Card skill bundle is a well-engineered and legitimate tool for managing virtual MasterCards via the Stellar blockchain. It implements several security best practices, including AES-256-GCM encryption for card details at rest (pgCardRepo.ts), Ed25519 signature verification for wallet authentication (walletAuth.ts), and strict log redaction of sensitive data like PANs and CVVs (logger.ts). The code logic is transparent, follows the x402 payment protocol, and includes robust anti-replay mechanisms using nonces and idempotency keys. No evidence of malicious intent, unauthorized data exfiltration, or prompt injection was found.
能力标签
cryptorequires-walletcan-make-purchases
能力评估
Purpose & Capability
Functionality (create/fund/manage cards via x402 on Stellar) matches the code and files present; a payment skill legitimately needs a Stellar wallet secret. However the SKILL metadata declares ASG_CARD_WALLET_SECRET as required while the README/SKILL.md repeatedly says the MCP server/readme uses a local wallet file (~/.asgcard/wallet.json) and 'no env vars needed' for clients — that mismatch is unexplained and surprising.
Instruction Scope
Runtime instructions ask you to run npx @asgcard/cli onboard which creates a local wallet and configures MCP tools (expected). But the SKILL.md also contains a frontmatter requiring an env var ASG_CARD_WALLET_SECRET. Additionally, a prompt-injection pattern (unicode-control-chars) was detected in SKILL.md — this could indicate attempts to manipulate prompt parsing during evaluation. The skill grants an agent autonomous authority to initiate on-chain payments and issue real MasterCard numbers, which is within purpose but high-impact and needs explicit user consent and clear secret handling.
Install Mechanism
There is no install spec (instruction-only in registry metadata), which is low-risk, but the package includes a large source tree and executable scripts (CLI, mcp-server, e2e and preflight scripts). Those scripts will perform network calls (API, Horizon) and can run locally via the repo — review them before running. The absence of an explicit install mechanism is not itself malicious but means the user/agent may run arbitrary included scripts via npx or by executing repo files.
Credentials
The skill declares a single primary credential ASG_CARD_WALLET_SECRET (a Stellar private key) — that is logically required for signing payments but is a highly sensitive secret. The SKILL.md and README claim the wallet 'never leaves your machine' and that 'no env vars needed' for MCP clients; yet the registry metadata forces ASG_CARD_WALLET_SECRET as required. The code and tests reference additional env vars (WEBHOOK_SECRET, STELLAR_TREASURY_ADDRESS, API_BASE, etc.) that are not declared as required. The combination of unclear secret ingestion paths and a privileged primary credential is concerning.
Persistence & Privilege
The skill is not always: true and does not demand elevated platform privileges. Autonomous invocation is enabled by default (normal for skills) and means an agent could spend funds when invoked. This is expected for a payment skill but increases blast radius: if the agent is allowed to act autonomously and holds a funded wallet, it can make real on-chain payments and create real cards.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install agentcard
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /agentcard 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.2.0
Optimized search keywords, added ClawHub install option, partner logos (Stellar, Circle, MasterCard)
v0.1.0
- Initial release of Agent Card skill (asgcard) version 1.0.8. - Enables AI agents to create, fund, and manage virtual MasterCards using USDC on Stellar via x402 protocol. - Supports on-chain payments with verifiable proof. - Includes tools for card creation, funding, management, and pricing queries. - Easy setup with wallet onboarding and payment skill installation.
元数据
Slug agentcard
版本 0.2.0
许可证 MIT-0
累计安装 1
当前安装数 1
历史版本数 2
常见问题

ASG Card 是什么?

Virtual MasterCards for AI agents — crypto payments, USDC wallet, create and manage virtual payment cards autonomously via x402 protocol on Stellar blockchain. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 270 次。

如何安装 ASG Card?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install agentcard」即可一键安装,无需额外配置。

ASG Card 是免费的吗?

是的,ASG Card 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

ASG Card 支持哪些平台?

ASG Card 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(macos, linux, windows)。

谁开发了 ASG Card?

由 ASG Compute(@asgcompute)开发并维护,当前版本 v0.2.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论