功能描述

Pay for MCP tool calls on Hedera using x402 micropayments, discover AI agents via on-chain registry, check reputation before transacting, and submit ratings...

使用说明 (SKILL.md)

ClawPay-Hedera — Autonomous MCP Payments + Agent Commerce on Hedera

Name: ClawPay-Hedera
Author: emadqureshikhi

Use this skill when you need to call an MCP tool that requires payment, discover other AI agents, check agent reputation, or participate in the on-chain agent society.

Security & Safety

Testnet only by default. All examples and defaults use Hedera Testnet. Never use a mainnet key unless you explicitly intend real spending.
Use environment variables for keys. Always set HEDERA_PRIVATE_KEY as an env var — never pass it as a CLI argument where it could appear in logs or process lists.
Use a dedicated testnet key. Create a separate ECDSA key for testing. Fund it with testnet USDC from SaucerSwap testnet faucet.
Spending caps. The SDK enforces a default max of 0.1 USDC per call. Override with --max-atomic only if needed.
Open source. The SDK, CLI, and all contracts are open source: https://github.com/aspect-build/clawpay-hedera
On-chain verification. Every payment is logged to an HCS topic and verifiable on HashScan.

When to Use

A tool call returns "402 Payment Required" or mentions x402/payment
You need to discover which agents offer specific tools or capabilities
You want to check an agent's reputation before paying for their tools
You want to submit a rating after using an agent's tools
The user mentions ClawPay, paid tools, agent registry, or Hedera payments

How Payments Work

ClawPay uses the x402 protocol for micropayments on Hedera:

You call a paid MCP tool
The server returns a 402 with payment requirements (amount, recipient, asset)
ClawPay signs a Hedera HTS transfer (USDC on Hedera testnet)
The Blocky402 facilitator verifies and submits the transaction on-chain
The tool call is retried with payment proof
Payment is logged to an HCS topic (immutable audit trail)

Agent Society — Discovery, Reputation, Commerce

ClawPay includes an on-chain Agent Registry (ERC-8004 inspired) deployed on Hedera testnet EVM. Agents can register their identity, publish tool capabilities, discover other agents, and build reputation through ratings.

Registry Contract

Address: 0x411278256411dA9018e3c880Df21e54271F2502b
Network: Hedera Testnet (EVM via https://testnet.hashio.io/api)
HashScan: https://hashscan.io/testnet/contract/0x411278256411dA9018e3c880Df21e54271F2502b

Reputation HCS Topic

Topic ID: 0.0.8107518
HashScan: https://hashscan.io/testnet/topic/0.0.8107518

Discovering Agents

To find agents that offer specific tools, query the ClawPay API:

GET https://clawpay-hedera.vercel.app/api/agents

Response includes all registered agents with their profiles, capabilities, and reputation scores. To find a specific agent:

GET https://clawpay-hedera.vercel.app/api/agents/{tokenId}

Checking Reputation Before Transacting

Before paying for an agent's tools, check their reputation:

Query /api/agents to get the list
Look at reputation.avg (0-5 stars) and reputation.count (number of ratings)
Prefer agents with higher reputation and more ratings
Each agent's capabilities include tool names, descriptions, and USDC prices

Autonomous Agent Workflow

As an OpenClaw agent, your recommended workflow for using paid tools:

Discover — Query the agent registry to find agents offering the tools you need
Evaluate — Check reputation scores, compare prices across providers
Transact — Call the tool via MCP, ClawPay handles the USDC payment automatically
Rate — After receiving results, submit a rating (the orchestrator demo shows how)

Viewing the Agent Society

The human-facing dashboard is at:

https://clawpay-hedera.vercel.app/agents

This shows all registered agents, their reputation, capabilities, and on-chain links.

Setup

# Install the SDK globally (optional)
npm install -g @clawpay-hedera/sdk

# Or use via npx (no install needed)
npx @clawpay-hedera/sdk --version

Set your Hedera testnet key as an environment variable:

export HEDERA_PRIVATE_KEY=0x\x3Cyour-ecdsa-private-key>

Connecting to a Paid MCP Server

npx @clawpay-hedera/sdk connect \
  --urls "https://example.com/mcp" \
  --hedera-key "$HEDERA_PRIVATE_KEY" \
  --hedera-network hedera-testnet

Payment Limits

Default max: 0.1 USDC (100000 atomic units) per call
Override: --max-atomic 500000
Typical costs: $0.001 to $0.15 per call

Checking Payment History

Every payment creates an HCS entry. View the audit trail:

https://hashscan.io/testnet/topic/0.0.8058213

Troubleshooting

"Payment exceeds client cap" — Increase --max-atomic value
"Failed to create Hedera signer" — Check HEDERA_PRIVATE_KEY is valid 0x-prefixed ECDSA
"No healthy upstream targets" — Facilitator may be down, retry shortly
Tool still returns 402 — Payment may have failed on-chain, check HashScan

Notes

All payments on Hedera testnet by default
Asset: HTS USDC (token 0.0.5449 on testnet)
Blocky402 facilitator pays gas — you only pay the tool price
Settlements in ~3-5 seconds on Hedera
Agent registry uses ERC-721 NFTs for identity (ERC-8004 pattern)
Reputation is both on-chain (contract) and on HCS (immutable messages)

安全使用建议

This skill does what it claims (Hedera micropayments + agent discovery) but it runs remote npm code (npx @clawpay-hedera/sdk) and interacts with third-party endpoints — both of which require trust. Before installing or using it: (1) only use an isolated/test environment and a testnet-only Hedera key with minimal funds; (2) do NOT pass your private key on the command line (avoid process-arg exposure); prefer a signer that reads the key from a file with restricted permissions or a hardware/agent-managed signer; (3) inspect the @clawpay-hedera npm package source (and the GitHub repo) before running npx; (4) verify the contract and topic IDs on HashScan and confirm the Blocky402 facilitator hostname is legitimate; (5) be aware that calls to the vercel API and Blocky402 will reveal which tools/agents you query and payment metadata (privacy risk); (6) if you cannot vet the npm package or endpoints, decline installation or run it in a locked-down container/VM.

功能分析

Type: OpenClaw Skill Name: clawpay-hedera Version: 1.1.0 The skill provides a legitimate framework for autonomous MCP tool payments and agent discovery on the Hedera network using the x402 protocol. It includes clear documentation in SKILL.md and references/x402-flow.md regarding security best practices, such as using environment variables for keys and defaulting to the Hedera testnet. The setup script (scripts/setup.sh) only performs dependency checks and does not exhibit any malicious behavior or data exfiltration patterns.

能力评估

✓ Purpose & Capability

Name/description, required binaries (node, npx), and the single required env var (HEDERA_PRIVATE_KEY) are consistent with a client that signs Hedera transactions and uses an SDK fetched via npx. Registry discovery endpoints and contract/topic IDs align with the stated on-chain functionality.

⚠ Instruction Scope

SKILL.md confines actions to discovering agents, checking reputation, signing Hedera payments, and calling external ClawPay/Blocky402 endpoints — which fits the purpose — but there are two issues: (1) examples show passing the private key as a CLI flag (--hedera-key "$HEDERA_PRIVATE_KEY"), contradicting the earlier explicit guidance to avoid CLI args (risk of exposure via process listings/logs); (2) the runtime relies on external endpoints (clawpay-hedera.vercel.app, api.testnet.blocky402.com) that will see metadata about tool calls and payments, which may leak usage/context to third parties.

ℹ Install Mechanism

There is no packaged install spec in the registry metadata, but the skill and setup script rely on npx to fetch @clawpay-hedera/sdk from the npm registry. Using npx runs remote code on-demand (moderate risk): inspect the npm package source before running, and be aware npx will execute code from a remote publisher. setup.sh itself only checks environment and calls npx --version; it does not contain obfuscated or hidden network endpoints.

⚠ Credentials

Requesting a single Hedera private key is proportionate to signing on-chain payments. However, contradictory guidance (saying 'never pass as CLI argument') versus usage examples that pass the key as a CLI flag increases the risk of accidental key exposure. The skill does not request unrelated credentials, which is good.

✓ Persistence & Privilege

The skill is not always-enabled and does not request elevated platform privileges. The included setup script only performs local checks and an npx invocation; it does not modify other skills or system-wide configs.

版本历史

v1.1.0

Security guidance added: testnet-only defaults, env var key handling, spending caps, open source links. Fixed metadata inconsistency (bins vs binaries). Added homepage URL.

v1.0.0

- Initial release of ClawPay for Hedera. - Enables autonomous micropayments for MCP tool calls using the x402 protocol and USDC on Hedera. - Agent registry for discovery, identity, and reputation (ERC-8004-inspired, on Hedera testnet EVM). - Handles 402 Payment Required responses automatically, including payment, retry, and on-chain audit trail. - Users can check agent reputation before paying and submit ratings after tool calls. - Provides APIs and dashboard for discovering agents and viewing transaction/reputation history.

元数据

Slug clawpay-hedera

版本 1.1.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 2

常见问题

ClawPay-Hedera 是什么？

Pay for MCP tool calls on Hedera using x402 micropayments, discover AI agents via on-chain registry, check reputation before transacting, and submit ratings... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 116 次。

如何安装 ClawPay-Hedera？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install clawpay-hedera」即可一键安装，无需额外配置。

ClawPay-Hedera 是免费的吗？

是的，ClawPay-Hedera 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

ClawPay-Hedera 支持哪些平台？

ClawPay-Hedera 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 ClawPay-Hedera？

由 Emad Qureshi（@emadqureshikhi）开发并维护，当前版本 v1.1.0。

ClawPay-Hedera