← 返回 Skills 市场

x402 Commerce Kit: Merchant Starter Kit + Payment Rails Guide + Security Hardening

Name: x402 Commerce Kit: Merchant Starter Kit + Payment Rails Guide + Security Hardening
Author: mirni

作者 mirni · GitHub ↗ · v1.3.1 · MIT-0

cross-platform ⚠ suspicious

167

总下载

当前安装

版本数

在 OpenClaw 中安装

/install greenhelix-bundle-x402-commerce-kit

功能描述

Launch a crypto-native storefront from scratch. Includes the x402 Merchant Starter Kit (deployable code), agent payment rails playbook, and commerce security...

使用说明 (SKILL.md)

x402 Commerce Kit: Merchant Starter Kit + Payment Rails Guide + Security Hardening

Included Guides

Guide	Individual Price
x402 Merchant Starter Kit: Deploy Your Own Crypto-Native Storefront	$99.00
The Agent Payment Rails Playbook	$29.00
Locking Down Agent Commerce: The OWASP-Aligned Security Guide for Autonomous AI Agents on GreenHelix	$29.00

Total Value: $157.00 | Bundle Price: $99.00

安全使用建议

Do not provide high-privilege secrets to this skill without further verification. Ask the publisher for the following before installing: (1) the actual deployable code repository or release URL, (2) a clear, step-by-step runtime plan explaining exactly which credential is used for which action, and (3) minimal required scopes for any token. If you must test it, create least-privilege, ephemeral tokens (scoped GitHub token limited to a single repo, Stripe test keys, a throwaway wallet and dashboard account) and run in an isolated environment. Avoid supplying AGENT_SIGNING_KEY or any admin/dashboard secret unless you can inspect the code and confirm necessity. Rotate any keys you exposed during testing.

功能分析

Type: OpenClaw Skill Name: greenhelix-bundle-x402-commerce-kit Version: 1.3.1 The bundle metadata in SKILL.md requests an extensive list of highly sensitive credentials, including GITHUB_TOKEN, STRIPE_API_KEY, WALLET_ADDRESS, and AGENT_SIGNING_KEY. While these permissions are contextually relevant to the stated purpose of launching a crypto-native storefront, the broad access to financial, code, and identity secrets represents a significant security risk. No explicit malicious logic or exfiltration instructions are present in the provided files, but the high-risk credential requirements warrant a suspicious classification.

能力标签

cryptocan-make-purchasesrequires-sensitive-credentials

能力评估

⚠ Purpose & Capability

The metadata promises a deployable 'Merchant Starter Kit' and production code, but there are no code files or install steps. At the same time the skill requires multiple credentials (GITHUB_TOKEN, STRIPE_API_KEY, AGENT_SIGNING_KEY, DASHBOARD_SECRET, etc.) that would give broad operational control. Requiring all of these secrets is disproportionate to what's actually packaged (only an instruction/metadata file).

⚠ Instruction Scope

SKILL.md contains only metadata and a bundle listing; it provides no concrete runtime instructions for safe use. Because it lacks explicit, scoped runtime steps, it's ambiguous what the agent is expected to do with the declared credentials — the instructions do not constrain or justify access to the listed secrets.

✓ Install Mechanism

No install spec and no code files are present, so nothing will be downloaded or written by an installer. That reduces some supply-chain risk, but it also means the skill’s claim of deployable code is unsupported.

⚠ Credentials

The skill requires multiple sensitive environment variables: GITHUB_TOKEN (primary), STRIPE_API_KEY, AGENT_SIGNING_KEY, DASHBOARD_SECRET, GREENHELIX_API_KEY, and WALLET_ADDRESS. While a GitHub token and payment key might be reasonable for deployment and payment integration, AGENT_SIGNING_KEY and DASHBOARD_SECRET are highly sensitive and not justified by the provided content. Combined, these credentials would permit repository access, payment operations, admin dashboard access, and signing authority — an excessive and risky set for an instruction-only bundle.

ℹ Persistence & Privilege

The skill does not request 'always: true' and is user-invocable only. Autonomous invocation is enabled by default (not flagged alone), but given the broad credential requirements this increases potential impact if the agent acts without tight constraints. The skill does not appear to modify other skills or system-wide settings.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install greenhelix-bundle-x402-commerce-kit
安装完成后，直接呼叫该 Skill 的名称或使用 /greenhelix-bundle-x402-commerce-kit 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.3.1

- Added new metadata section specifying required environment variables and primary environment variable for openclaw compatibility. - No changes to product features, pricing, or included guides.

v1.3.0

- Updated version to 1.3.0 in SKILL.md. - No other content changes.

v1.2.0

- Added required credentials: GITHUB_TOKEN, WALLET_ADDRESS, DASHBOARD_SECRET, SSH_DEPLOY_KEY, GREENHELIX_API_KEY, AGENT_SIGNING_KEY, and STRIPE_API_KEY. - No changes to features, price, or included components.

v1.1.0

- Added explicit fields for `executable`, `credentials`, and `install` to metadata. - No changes to bundle contents, pricing, or documentation.

v1.0.0

Initial release of the greenhelix-bundle-x402-commerce-kit. - Launch a crypto-native storefront with deployable code and 2 expert guides. - Bundle includes the x402 Merchant Starter Kit, Agent Payment Rails Playbook, and Commerce Security Hardening Guide. - Deploy your complete storefront in 15 minutes with production-ready code. - Offers a bundled value of $157 for a price of $99.

元数据

Slug greenhelix-bundle-x402-commerce-kit

版本 1.3.1

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 5

常见问题