← 返回 Skills 市场
428
总下载
0
收藏
0
当前安装
5
版本数
在 OpenClaw 中安装
/install boltzpay
功能描述
Pay for API data automatically — multi-protocol (x402 + L402 + MPP), multi-chain, streaming sessions
使用说明 (SKILL.md)
BoltzPay — Paid API Access for AI Agents
BoltzPay lets AI agents pay for API data automatically. It supports three payment protocols (x402, L402, and MPP) across multiple chains (Base, Solana, Tempo), paying with USDC, Bitcoin Lightning, or Stripe. Agents can discover 5,700+ scored endpoints from the live registry, evaluate pricing, open streaming sessions, and purchase API data in a single workflow.
Quick Start
Fetch data from a paid API endpoint:
npx @boltzpay/cli fetch https://invy.bot/api
Commands
| Command | Description | Credentials Needed |
|---|---|---|
npx @boltzpay/cli fetch \x3Curl> |
Fetch and pay for API data | Yes |
npx @boltzpay/cli quote \x3Curl> |
Get a price quote | No |
npx @boltzpay/cli discover |
Browse the BoltzPay registry (5,700+ endpoints) | No |
npx @boltzpay/cli discover --protocol mpp --min-score 70 |
Filter by protocol and trust score | No |
npx @boltzpay/cli discover --query weather |
Search endpoints by name or URL | No |
npx @boltzpay/cli diagnose \x3Curl> |
Full diagnostic — DNS, protocol detection (x402/L402/MPP), pricing, health, latency | No |
npx @boltzpay/cli budget |
Check spending budget | No |
npx @boltzpay/cli history |
View payment history | No |
npx @boltzpay/cli wallet |
Check wallet address and balance | No |
Setup
Set the following environment variables for paid API access:
x402 (USDC on Base)
COINBASE_API_KEY_ID— Your Coinbase CDP API key IDCOINBASE_API_KEY_SECRET— Your Coinbase CDP API key secretCOINBASE_WALLET_SECRET— Your Coinbase CDP wallet secret
Get your Coinbase CDP keys at portal.cdp.coinbase.com.
MPP (Tempo payment channels)
TEMPO_PRIVATE_KEY— Tempo wallet private key (hex). Enables MPP one-shot payments and streaming sessions.
Optional
NWC_CONNECTION_STRING— NWC connection string for L402 (Lightning) paymentsSTRIPE_SECRET_KEY— Stripe secret key for Stripe MPP paymentsBOLTZPAY_DAILY_BUDGET— Daily spending limit in USD (default: unlimited)
Examples
1. Discover APIs from the registry
npx @boltzpay/cli discover
Browse 5,700+ scored and verified paid APIs from the BoltzPay registry. Filter by protocol, category, score, or free-text search. No credentials needed.
npx @boltzpay/cli discover --protocol x402 --min-score 80 --category crypto-data
2. Get a price quote
npx @boltzpay/cli quote https://invy.bot/api
See the payment protocol, amount, and chain options without spending anything.
3. Fetch paid data
npx @boltzpay/cli fetch https://invy.bot/api
Automatically detects the payment protocol (x402, L402, or MPP), pays, and returns the API response.
4. Diagnose an endpoint
npx @boltzpay/cli diagnose https://invy.bot/api
Full diagnostic: DNS resolution, protocol detection, format version, pricing, health classification, and latency.
No Credentials?
Six of the seven commands work without any credentials:
quote— get detailed pricingdiscover— browse the registry with filters (protocol, score, category, search)diagnose— full endpoint diagnostic (DNS, protocol, pricing, health, latency)budget— check spending limitshistory— view past transactionswallet— check wallet address and balance
Only fetch requires credentials (it makes actual payments).
Links
安全使用建议
Key things to consider before installing or providing credentials:
- Provenance: The registry lists 'Source: unknown' and no homepage; verify the upstream project (GitHub, npm, official docs) and the package author before running npx or installing. Do not trust links in the SKILL.md without independently verifying them.
- Test credentials / least privilege: Never supply primary production Coinbase/TEMPO/Stripe secrets to a new skill. Use test/dev accounts or keys with minimal funds. If possible, use keys restricted to only the necessary scopes.
- Limit spending: If you need to trial this skill, set a strict BOLTZPAY_DAILY_BUDGET and/or create a dedicated wallet with a small balance. The SKILL.md lists this env var as optional — consider making it mandatory for any real deployment.
- Audit the package: Because the CLI is run via npx (remote code execution), review the @boltzpay CLI / @boltzpay SDK code on npm/GitHub (audit for unexpected network calls, telemetry, or credential exfiltration) before running it in an environment with secrets.
- Metadata mismatch: Ask the publisher/maintainer why TEMPO_PRIVATE_KEY, NWC_CONNECTION_STRING, and STRIPE_SECRET_KEY are referenced in the docs but not declared in the registry 'requires.env' and why the registry shows no verified source. Clarify exact install steps and package origins.
- Control autonomous behavior: If you cannot fully trust the package yet, disable autonomous model invocation for this skill or require explicit user consent before the agent runs any fetch/pay operation.
- Start with read-only commands: Use discover/quote/diagnose first (these are shown as not requiring credentials) to validate behavior and the registry results before enabling fetch/payment commands.
If you want, I can: (a) draft a short checklist/question list to request from the publisher, (b) show commands to inspect the npm package contents before executing it with npx, or (c) suggest how to create constrained/test credentials for Coinbase/Tempo/Stripe.
功能分析
Type: OpenClaw Skill
Name: boltzpay
Version: 0.3.2
The skill requires several highly sensitive financial credentials, including 'COINBASE_WALLET_SECRET', 'TEMPO_PRIVATE_KEY' (hex), and 'STRIPE_SECRET_KEY', to facilitate automated API payments. While these are aligned with the stated purpose of the BoltzPay service, the requirement for raw private keys and the execution of remote code via 'npx @boltzpay/cli' in SKILL.md represents a significant security risk. There is no explicit evidence of malicious intent in the provided files, but the high-risk nature of the requested secrets warrants a suspicious classification.
能力评估
Purpose & Capability
The name/description (automatic payments across x402/L402/MPP and multiple chains) aligns with the CLI commands shown. Requiring Coinbase CDP credentials for USDC on Base is consistent with the x402 use-case. However the SKILL.md also documents other payment credentials (TEMPO_PRIVATE_KEY, NWC_CONNECTION_STRING, STRIPE_SECRET_KEY) but those are not declared in the registry metadata's required env list, and the registry metadata lists no homepage/source even though the documentation links to GitHub/npm/docs. The overall capability is plausible but the metadata/instructions are not fully consistent.
Instruction Scope
Runtime instructions tell the agent to run npx @boltzpay/cli commands (which will fetch and execute JS from npm). The SKILL.md distinguishes which commands 'need credentials' (fetch) but also includes wallet/budget/history commands that access wallet/payment state. The SKILL.md references additional environment variables (TEMPO_PRIVATE_KEY, NWC_CONNECTION_STRING, STRIPE_SECRET_KEY, BOLTZPAY_DAILY_BUDGET) that are not present in the registry 'requires.env' list — an inconsistency. Using npx means remote code will be executed at runtime, which is expected for a CLI but increases risk when paired with live payment credentials.
Install Mechanism
Declared binary dependency is only npx and the metadata lists a node install entry for a BoltzPay CLI, but there's no pinned package source or clear install URL in the registry metadata. The SKILL.md examples rely on npx/@boltzpay/cli and npm/@boltzpay/sdk links, so installing/running will fetch code from npm at runtime. Fetching and executing remote JS via npx/npm is common for CLIs but is higher-risk than an instruction-only skill because it executes third-party code not bundled in the skill. Also the registry entry's 'Source: unknown' / 'Homepage: none' increases uncertainty about provenance.
Credentials
The skill requests highly sensitive payment credentials (COINBASE_API_KEY_ID, COINBASE_API_KEY_SECRET, COINBASE_WALLET_SECRET) which are reasonable for making payments, but the declared required env list omits other payment credentials the SKILL.md describes (TEMPO_PRIVATE_KEY, NWC_CONNECTION_STRING, STRIPE_SECRET_KEY). Allowing the agent to hold and use live payment keys without strong metadata or enforced limits (BOLTZPAY_DAILY_BUDGET is optional) is disproportionate unless the user strictly limits funds or uses test credentials. The skill also gives the agent the ability to perform autonomous payments (model invocation is enabled by default).
Persistence & Privilege
The skill does not set always:true (so it's not forced into every run). Model invocation is enabled (default), meaning the agent could call this skill autonomously. Autonomous invocation is the platform default — not a problem on its own — but when combined with the ability to execute npx-fetched code and supply live payment credentials, the blast radius of misuse increases. The skill does not declare any special persistent system-wide modifications, but it can execute remote CLI code at runtime.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install boltzpay - 安装完成后,直接呼叫该 Skill 的名称或使用
/boltzpay触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.3.2
Release v0.3.2
v0.3.1
Release v0.3.1
v0.3.0
Release v0.3.0
v0.1.2
Re-publish — fix stuck security scan
v0.1.1
Initial release — paid API access for AI agents
元数据
常见问题
BoltzPay 是什么?
Pay for API data automatically — multi-protocol (x402 + L402 + MPP), multi-chain, streaming sessions. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 428 次。
如何安装 BoltzPay?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install boltzpay」即可一键安装,无需额外配置。
BoltzPay 是免费的吗?
是的,BoltzPay 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
BoltzPay 支持哪些平台?
BoltzPay 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 BoltzPay?
由 leventilo(@leventilo)开发并维护,当前版本 v0.3.2。
推荐 Skills