FluxA Agent Wallet for x402 Resources Payment

Name: FluxA Agent Wallet for x402 Resources Payment
Author: cpppppp7

功能描述

A FluxA Agent Wallet skill that enables agents to request budgets, sign x402 payments, and call paid endpoints autonomously. It walks through the full flow—from mandate creation to X-PAYMENT execution—so agents can perform paid actions without human intervention.

使用说明 (SKILL.md)

Quick Start

Step 1: Apply for a budget mandate \x3C!-- -->

# You **MUST** estimate a **total budget** for this task, as it may involve calling tools that require payment via the FluxA Wallet.
# It is recommended to budget **1.5×** the estimated cost.
# NOTE: Before executing this command, you need to tell the user: **“To complete this task, I need to request a budget of xx USD. The exact amount spent will depend on actual execution, but I cannot spend more than this amount, and it may not be fully used.”**

node ./scripts/fluxa-cli.bundle.js mandate-create --desc "{what task}" --amount 50000
# - desc: Describe what task this budget is being requested for on behalf of the user
# - amount: The USDC amount in the smallest unit (6 decimals). For example, 1_000_000 represents 1 USDC.

# NOTE
# You need to remember the mandate ID to request the actual payment later, and ask the user to approve the authorization.
# You can wait about 10 seconds and then check the status using this method.
node ./scripts/fluxa-cli.bundle.js mandate-status --id \x3Cmandate-id>

Step 2: Use the budget mandate to request a payment signature (payment mandate)

node ./scripts/fluxa-cli.bundle.js x402-v3 \
    --mandate \x3CMANDATE_ID> \
    --payload '\x3CJSON>'

# Get `data.xPaymentB64` from response as PAYMENT_MANDATE
# This PAYMENT_MANDATE is sent to the server via the **X-Payment HTTP header** to complete the payment.
curl -H "X-PAYMENT: $PAYMENT_MANDATE" https://api.example.com/paid-endpoint

Example

node ./scripts/fluxa-cli.bundle.js x402-v3 \
--mandate mand_Yfbpmb9PVZl05VaeR9nvQg \
--payload '{
  "x402Version": 1,
  "accepts": [{
    "scheme": "exact",
    ...
    "extra": {
      "name": "USD Coin",
      "version": "2"
    }
  }]
}'

## output:
{
  "success": true,
  "data": {
    "X-PAYMENT": "base64-encoded-payment-header..."
  }
}

Others

Error handing during payment flow(fluxa-cli or server error): see ./error-handle.md

安全使用建议

Before installing or enabling this skill, consider the following: - The skill will contact external FluxA endpoints (agentid.fluxapay.xyz, walletapi.fluxapay.xyz, wallet.fluxapay.xyz by default) and will POST registration info (email, agent name, client info) and payment requests to those services. Verify you trust those endpoints and the skill author — no homepage or source is provided. - The bundle writes persistent files into your home directory (default: ~/.fluxa-ai-wallet-mcp/config.json and audit.log) and will store agent_id / token / jwt there. If you do not want credentials persisted on disk or want isolation, do not install or run it on a host with sensitive data; consider a disposable VM or container. - The runtime docs instruct the agent to auto-generate registration info and explicitly tell the agent not to ask the user for those fields. That behavior could lead to creating identities and requesting budgets/payments without explicit human-provided identity or stricter user confirmation. Require human approval before the skill registers an agent or requests budgets. - The registry metadata omits environment/config requirements even though the code reads many env vars and supports overriding endpoints and data directory. Ask the developer to update the manifest to declare required env vars and the config path, and to document network endpoints and what data is transmitted. - If you still want to use it, test in an isolated environment, inspect the bundled script yourself (it is provided), and restrict the skill from autonomous use (if the platform allows disabling autonomous invocation) until you trust it. If you cannot verify the FluxA endpoints or the author, do not enable the skill on production or on an account containing sensitive credentials. Confidence note: I am medium-confident because the behavior of the code aligns with the skill's described functionality, but the missing manifest declarations, the 'generate identity yourself' instruction, and the lack of a verifiable source/homepage raise non-trivial trust and privacy concerns. Additional information that would raise confidence to high: an authoritative source/homepage for the project, a signed/reputable publisher, explicit manifest entries listing env vars and config paths, and an explicit note in SKILL.md that the agent must get explicit user approval before creating/using an agent ID or spending funds.

功能分析

Type: OpenClaw Skill Name: fluxa-x402-payment Version: 1.0.0 The skill bundle is designed for an AI agent to manage payments via the FluxA Wallet. The `SKILL.md` and other markdown files contain instructions for the agent, primarily focused on transparent communication with the user regarding budget requests and payment status, error handling, and secure agent ID initialization (generating parameters rather than asking the user). The `fluxa-cli.bundle.js` script handles agent registration, JWT management, and payment operations by communicating with legitimate FluxA API endpoints (agentid.fluxapay.xyz, walletapi.fluxapay.xyz) and storing configuration/audit logs in `~/.fluxa-ai-wallet-mcp`. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or obfuscation, and all actions are aligned with the stated purpose of a payment skill.

能力评估

⚠ Purpose & Capability

The skill's stated purpose (create mandates, sign x402 payments, call paid endpoints) matches the included CLI bundle which talks to a FluxA Agent ID service and Wallet API. However the package metadata declares no required environment variables or config paths while the code clearly uses/accepts many env vars (AGENT_ID_API, WALLET_API, WALLET_APP, FLUXA_DATA_DIR, AGENT_ID, AGENT_TOKEN, AGENT_JWT, AGENT_EMAIL, AGENT_NAME, CLIENT_INFO). That mismatch (declaring nothing but requiring/reading env vars and writing config files) is an incoherence that should be resolved.

⚠ Instruction Scope

SKILL.md instructs the agent to run the bundled CLI to register agents, create mandates, request payments, and send X-PAYMENT headers to external paid endpoints — which is consistent with the purpose. However initialize-agent-id.md tells the agent to 'Generate these parameters yourself' and 'Do not ask the user to fill them in' (email, name, client info). That instruction encourages the agent to fabricate/automatically register identities and proceed without explicit user-provided identity data or explicit user approval, which is scope-creep and a privacy/consent concern. The SKILL.md also does not explicitly disclose the external endpoints the bundle will contact (defaults are baked into the script), so runtime network targets are under-documented.

✓ Install Mechanism

No install spec / no download from external arbitrary URLs; the skill is instruction-only plus a bundled JS CLI that runs locally. There is no packaged install step that fetches remote code at install-time. This reduces install-time supply-chain risk compared to remote downloads.

⚠ Credentials

The registry metadata lists no required credentials or env vars, but the code reads multiple environment variables and will persist agent credentials (agent_id, token, jwt) into a config file under the user's home directory (default ~/.fluxa-ai-wallet-mcp/config.json) and append to an audit.log. The skill will POST registration data (email, name, client_info) and payment requests to external FluxA endpoints. Requesting or persisting credentials and generating identities without declaring these requirements is disproportionate and under-documented.

⚠ Persistence & Privilege

The CLI writes a config file and an audit log into the user's home directory (or FLUXA_DATA_DIR if set), and will save JWTs/tokens there. It does not change other skills or system settings, and always:false is set, but persisting authentication tokens and logs in user home is a material persistence/privacy action that should have been declared and consented to. Combined with autonomous agent invocation (the platform default), this increases the blast radius if the skill is granted permission without scrutiny.

版本历史

v1.0.0

fluxA-x402-payment v1.0.0 - Initial release of FluxA Agent Wallet skill for autonomous budget requests, x402 payment signing, and paid API calls. - Supports full automation from mandate creation to X-PAYMENT execution. - Provides CLI commands and workflow for requesting, tracking, and using payment mandates. - Includes example usage and best practices for budget estimation and approval flow. - Documents error handling references and required user notifications.

元数据

Slug fluxa-x402-payment

版本 1.0.0

许可证 —

累计安装 1

当前安装数 1

历史版本数 1

常见问题