← 返回 Skills 市场

Clawtar

Name: Clawtar
Author: robwoodgate

作者 Rob Woodgate · GitHub ↗ · v1.0.3

cross-platform ⚠ suspicious

755

总下载

当前安装

版本数

在 OpenClaw 中安装

/install clawtar

功能描述

Enable autonomous agent payments by detecting HTTP 402 paywalls, settling Cashu challenges, retrying with tokens, and completing paid requests end-to-end.

使用说明 (SKILL.md)

Clawtar Skill (Demo)

Use this as a demo/practice skill for Cashu-gated HTTP flows. It helps agents exercise the full 402 -> settle -> retry loop safely in a controlled endpoint.

The endpoint will deliver a cryptic fortune reading when the payment flow is successful.

Endpoint

POST https://clawtar.cashutools.dev/v1/clawtar/ask

Request body:

{
  "question": "Will this ship?",
  "style": "funny"
}

Styles: funny | chaotic | wholesome

If style is omitted, the server chooses a random style.
If style is provided but blank/invalid, server returns 400.

Paywall flow

If the first request returns 402, read response header x-cashu. It is a NUT-24 challenge carrying an encoded NUT-18 payment request (creqA...).

Option A: cocod available (with permission)

If cocod is available and you have permission from your human to spend funds:

Settle challenge:
- cocod x-cashu handle "\x3Cx-cashu>"
Retry the same POST with header:
- X-Cashu: \x3Ccashu-token>

Option B: no cocod

Ask your human for a valid Cashu token and retry with X-Cashu.

This demo endpoint accepts 42 sat tokens from Minibits Mint: https://mint.minibits.cash/Bitcoin

If appropriate, ask your human for permission to install cocod, so you can have your own Cashu wallet.

https://clawhub.ai/Egge21M/cocod

Expected success response

{
  "ok": true,
  "quoted_sats": 42,
  "result": {
    "title": "Clawtar says ...",
    "style": "funny",
    "question": "Will this ship?",
    "fortune": "...",
    "lucky_number": 17
  }
}

Safety checks

Do not claim success unless ok: true is returned.
A challenge string (x-cashu) is not a payment token.
Send payment token only in X-Cashu on retry.
Ask permission before any autonomous spend or installing new payment tooling.

安全使用建议

This skill appears to do what it says: it's a demo flow for Cashu-gated HTTP requests. Before installing or using it, consider: (1) The skill will ask you for permission before spending — do not grant permission unless you understand the cost and trust the endpoint. (2) If you allow the agent to install or run cocod, verify cocod's source and integrity (downloading/executing third-party binaries has risk). (3) Any Cashu token you provide is a spending credential—treat it like money and only paste it into trusted endpoints. (4) If you do not want autonomous spending, refuse install/permission requests and instead provide tokens manually when needed. Additional confidence would come from a known source/homepage or included code (this is an instruction-only demo with no provenance), so exercise usual caution when granting payment permissions.

功能分析

Type: OpenClaw Skill Name: clawtar Version: 1.0.3 The skill is classified as suspicious due to a potential shell injection vulnerability in `SKILL.md`. The instruction `cocod x-cashu handle "<x-cashu>"` passes a value derived from an external HTTP response header directly to a shell command. If the `<x-cashu>` header from `clawtar.cashutools.dev` is crafted maliciously, it could lead to arbitrary command execution on the agent's system. While the skill includes explicit safety instructions for the agent to ask for human permission before spending funds or installing tools, this does not negate the underlying RCE vulnerability.

能力评估

✓ Purpose & Capability

The name/description (Cashu paywall handling) align with the SKILL.md: it documents detecting HTTP 402, reading x-cashu, settling via cocod or a user-supplied token, and retrying with X-Cashu. The skill does not request unrelated credentials or system access.

ℹ Instruction Scope

Instructions are narrowly scoped to making the POST to the specified endpoint, reading the response header, and either calling cocod or asking the user for a token. The SKILL.md explicitly advises asking user permission before spending. It does suggest installing/using cocod (an external payment tool) which will require the agent to perform network/download and execute a separate binary if the human allows — the skill itself does not include or run that code.

ℹ Install Mechanism

There is no automated install spec (instruction-only). However the doc links an external cocod resource (https://clawhub.ai/Egge21M/cocod). If you choose to follow that path, review cocod's source and distribution before installing; the skill does not itself download or install anything.

✓ Credentials

The skill declares no environment variables, no credentials, and no config paths. Asking the human for a Cashu token is appropriate for the described purpose, but any token the user supplies grants spending power and should be treated sensitively.

✓ Persistence & Privilege

The skill is not always-enabled, does not request persistent system-wide changes, and contains no code that modifies other skills or agent settings. It relies on runtime prompts to the user for permission to spend or to install additional tooling.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install clawtar
安装完成后，直接呼叫该 Skill 的名称或使用 /clawtar 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.3

- Clarified that the endpoint delivers a cryptic fortune reading upon successful payment. - Added explicit information about accepted tokens: 42 sat tokens from Minibits Mint. - Provided a direct link for cocod wallet installation. - Improved instructions about when and how to ask for permission before Cocod installation. - Minor wording and organizational improvements for better clarity.

v1.0.2

- Clarified that this skill is a demo/practice tool for Cashu HTTP 402 payment flows. - Updated instructions to emphasize safety: always request human permission before spending funds or installing payment tools like cocod. - Improved documentation for agent paywall handling and payment retries. - Simplified and clarified paywall flow explanations. - Updated style and success criteria descriptions for clarity.

v1.0.1

- Expanded documentation for the `style` parameter: omitting it results in a random style, and invalid values now trigger a `400` error. - Clarified the paywall challenge structure by specifying the use of a NUT-24 challenge containing a NUT-18 encoded payment request. - Added details and links for obtaining and installing the `cocod` skill through ClawHub. - Improved agent guidance for cases where `cocod` is unavailable, including how to request permission and where to get valid Cashu tokens. - Enhanced instructions for autonomous versus human-assisted payment flows.

v1.0.0

Initial release of Clawtar skill for autonomous agent payments via Cashu HTTP 402. - Enables agents to detect 402 paywalls, settle via Cashu, and retry requests with payment tokens end-to-end. - Provides guidance for both agents with and without the "cocod" tool. - Includes sample endpoint, paywall response flow, and expected API structure. - Supports selectable response styles: funny, chaotic, wholesome. - Notes on correct flow and token handling included for robust integration.

元数据

Slug clawtar

版本 1.0.3

许可证 —

累计安装 1

当前安装数 1

历史版本数 4

常见问题

Clawtar 是什么？

Enable autonomous agent payments by detecting HTTP 402 paywalls, settling Cashu challenges, retrying with tokens, and completing paid requests end-to-end. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 755 次。

如何安装 Clawtar？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install clawtar」即可一键安装，无需额外配置。

Clawtar 是免费的吗？

是的，Clawtar 完全免费（开源免费），可自由下载、安装和使用。

Clawtar 支持哪些平台？

Clawtar 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Clawtar？

由 Rob Woodgate（@robwoodgate）开发并维护，当前版本 v1.0.3。