← 返回 Skills 市场
Clawpay
作者
mmchougule
· GitHub ↗
· v0.1.0
1553
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install clawpay-2
功能描述
Private payments for AI agents - no on-chain link between sender and recipient
使用说明 (SKILL.md)
ClawPay 🦞
Send money privately. Recipient sees funds from Railgun - can't trace back to you.
Just Run It
Prerequisites: You need a wallet private key with USDT on BSC.
Save this as send-private.mjs and run with node send-private.mjs:
// send-private.mjs - Copy this entire file and run it
import { Wallet, JsonRpcProvider, Contract, parseUnits } from 'ethers';
// ============ CONFIGURE THESE ============
const PRIVATE_KEY = process.env.WALLET_KEY || '0xYOUR_PRIVATE_KEY';
const RECIPIENT = '0xRECIPIENT_ADDRESS';
const AMOUNT = '0.10'; // USDT amount
// =========================================
const API = 'https://clawpay.dev';
const BSC_RPC = 'https://bsc-dataseed.binance.org/';
const USDT = '0x55d398326f99059fF775485246999027B3197955';
const SIGN_MSG = 'b402 Incognito EOA Derivation';
async function sendPrivate() {
const provider = new JsonRpcProvider(BSC_RPC);
const wallet = new Wallet(PRIVATE_KEY, provider);
const myAddress = wallet.address;
console.log('Sending', AMOUNT, 'USDT privately to', RECIPIENT);
console.log('From wallet:', myAddress, '\
');
// 1. Sign message
console.log('1. Signing...');
const signature = await wallet.signMessage(SIGN_MSG);
// 2. Get invoice address
console.log('2. Getting invoice...');
const invoiceRes = await fetch(
API + '/invoice?eoa=' + myAddress + '&signature=' + encodeURIComponent(signature)
);
const { invoiceAddress } = await invoiceRes.json();
console.log(' Invoice:', invoiceAddress);
// 3. Transfer USDT to invoice
console.log('3. Transferring USDT to invoice...');
const usdt = new Contract(USDT, ['function transfer(address,uint256) returns (bool)'], wallet);
const tx = await usdt.transfer(invoiceAddress, parseUnits(AMOUNT, 18));
console.log(' TX:', tx.hash);
await tx.wait();
// 4. Execute private transfer
console.log('4. Executing private transfer...');
const transferRes = await fetch(API + '/transfer', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
eoa: myAddress,
signature,
recipient: RECIPIENT,
amount: AMOUNT,
token: 'USDT'
})
});
const result = await transferRes.json();
if (result.transferId) {
console.log('\
✓ SUCCESS!');
console.log('Transfer ID:', result.transferId);
console.log('Status:', result.status);
console.log('\
Recipient gets funds from Railgun in ~60 seconds.');
console.log('They CANNOT see your wallet address.');
console.log('\
Check status: curl ' + API + '/status/' + result.transferId);
} else {
console.log('Error:', result.error);
}
}
sendPrivate().catch(console.error);
Run it:
npm install ethers
WALLET_KEY=0xYourPrivateKey node send-private.mjs
How It Works
YOU CLAWPAY API RECIPIENT
│ │ │
├── USDT to invoice ──────►│ │
│ │ │
├── Sign message ─────────►│ │
│ │ │
├── POST /transfer ───────►│ │
│ ├── Shield (Railgun) ─────►│
│ ├── ZK Proof (~60s) ──────►│
│ ├── Unshield ─────────────►│
│ │ │
│ │ Funds from "Railgun" │
│ │ NO LINK TO YOU │
API Reference
Base URL: https://clawpay.dev
| Endpoint | Method | Description |
|---|---|---|
/health |
GET | API status |
/invoice?eoa=...&signature=... |
GET | Get your invoice address |
/transfer |
POST | Send private payment |
/status/:id |
GET | Check transfer status |
/balance?eoa=...&signature=...&token=USDT |
GET | Check shielded balance |
/faucet |
POST | Get BNB for gas (testnet) |
POST /transfer
{
"eoa": "0xYourAddress",
"signature": "0xSignedMessage...",
"recipient": "0xRecipientAddress",
"amount": "1.00",
"token": "USDT"
}
Response:
{
"transferId": "tx_123...",
"status": "pending",
"message": "Transfer initiated"
}
Status flow: pending → shielding → proving → complete
No Private Key? Use Bankr Wallet
If you're an agent without direct wallet access, use Bankr:
// 1. Get your wallet from Bankr
const bankrWallet = await bankr.getWallet();
// 2. Sign the ClawPay message
const signature = await bankr.signMessage('b402 Incognito EOA Derivation');
// 3. Use signature with ClawPay API
// (same flow as above)
Supported Tokens (BSC)
| Token | Address |
|---|---|
| USDT | 0x55d398326f99059fF775485246999027B3197955 |
| USDC | 0x8AC76a51cc950d9822D68b83fE1Ad97B32Cd580d |
Need Gas?
curl -X POST https://clawpay.dev/faucet \
-H "Content-Type: application/json" \
-d '{"address": "0xYourAddress"}'
Troubleshooting
| Error | Fix |
|---|---|
| "Insufficient balance" | Transfer USDT to invoice first |
| "Signature does not match" | Sign exact message: b402 Incognito EOA Derivation |
| "No spendable UTXOs" | Wait 2 min after funding invoice |
Privacy for the agent economy | Built on Railgun | https://clawpay.dev
安全使用建议
Before using this skill: (1) Understand the trust model — the script sends USDT to an invoice address returned by https://clawpay.dev and then asks that service to shield/unshield; you are trusting that operator with your funds and the privacy claim. (2) Do not paste your private key into unknown code or into environment variables on shared machines. Prefer a hardware wallet, an in-process signing flow, or the referenced Bankr wallet (verify Bankr's provenance) rather than exposing WALLET_KEY. (3) The skill metadata fails to declare that a private key is required — treat that as a red flag and ask the publisher to add explicit required env var declarations. (4) Verify the service: check clawpay.dev ownership, source code, audits of the Railgun integration, and community reputation before sending real funds. (5) Test with a very small amount first and inspect the returned invoice address and API responses. (6) If you allow agent autonomy, restrict this skill from running without explicit user confirmation because it can initiate on-chain transfers when provided with signing credentials.
功能分析
Type: OpenClaw Skill
Name: clawpay-2
Version: 0.1.0
The skill instructs the AI agent to directly handle and use a private key (via `process.env.WALLET_KEY` or hardcoded) to perform financial transactions on the blockchain. The `SKILL.md` file contains a JavaScript script (`send-private.mjs`) that uses this private key to sign messages and transfer USDT to an external service (`https://clawpay.dev`). While the stated purpose is to facilitate private payments, requiring an agent to manage and utilize a private key for direct blockchain transactions represents a very high-risk capability and broad permission, even without clear evidence of intentional malicious redirection of funds within the provided code.
能力评估
Purpose & Capability
The name/description (private payments via Railgun) match the runtime instructions: sign a wallet message, send USDT to an invoice address, and call clawpay.dev endpoints to shield/unshield. However the skill metadata declares no required credentials or env vars while the runtime instructions explicitly require a wallet private key (WALLET_KEY). That omission is an incoherence between claimed requirements and actual needs.
Instruction Scope
SKILL.md contains clear, concrete runtime steps (node script, sign message, call API endpoints, transfer tokens to invoice). It does not instruct the agent to read unrelated files or system secrets beyond the wallet key. The instructions do require executing user-supplied JS and making network calls to clawpay.dev, which is expected for this purpose.
Install Mechanism
This is instruction-only (no install spec, no downloaded code). The user is told to run npm install ethers and execute the provided script locally — the install surface is small and transparent.
Credentials
The runtime requires a wallet private key (WALLET_KEY) but the skill metadata lists no required env vars or primary credential. Requesting a private key is proportionate to making payments, but the metadata omission is misleading and increases risk (users or agents may not realize a secret is needed). Also relying on an external API (clawpay.dev) means the service operator can control the invoice addresses and the shielding flow — users must trust that operator with custody or routing of funds.
Persistence & Privilege
The skill does not request persistent presence (always:false), does not modify other skills or system configs, and has no install actions. Autonomous invocation is allowed by default on the platform; that is normal but raises general caution when combined with credential access (see guidance).
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install clawpay-2 - 安装完成后,直接呼叫该 Skill 的名称或使用
/clawpay-2触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
- Major update: SKILL.md rewritten for version 1.1.0 with detailed usage, API reference, and troubleshooting.
- Added complete usage guide including sample Node.js script for sending private USDT payments.
- Expanded API documentation with all endpoint descriptions and example payloads.
- Included quickstart instructions, prerequisites, and support for Bankr wallet flows.
- Provided guidance for common errors and testnet faucet usage.
- Enhanced clarity around privacy features and supported tokens.
元数据
常见问题
Clawpay 是什么?
Private payments for AI agents - no on-chain link between sender and recipient. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1553 次。
如何安装 Clawpay?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install clawpay-2」即可一键安装,无需额外配置。
Clawpay 是免费的吗?
是的,Clawpay 完全免费(开源免费),可自由下载、安装和使用。
Clawpay 支持哪些平台?
Clawpay 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Clawpay?
由 mmchougule(@mmchougule)开发并维护,当前版本 v0.1.0。
推荐 Skills