← 返回 Skills 市场
MasterCard | Is your claw a shopaholic?
作者
TripleHippo
· GitHub ↗
· v1.0.2
· MIT-0
303
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install mastercard
功能描述
Let your agent shop online with guardrailed wallets, multiple payment methods, and owner approval.
安全使用建议
Key things to check before installing:
- Confirm the publisher and domain: the skill's files point to creditclaw.com but the registry name/slug mention 'MasterCard' — verify this mismatch with the publisher or registry metadata.
- Treat downloaded files as code: the flow requires saving files and executing a decrypt.js delivered with encrypted card files. Only run such scripts in a sandboxed environment and inspect the script contents before execution.
- Prefer the sub-agent flow: the docs recommend spawning an ephemeral sub-agent so the main agent never sees decrypted card details. If your agent platform cannot isolate sub-agents, avoid enabling this skill or avoid using rail5/encrypted-card functionality.
- Limit the API key: give the skill a dedicated CREDITCLAW_API_KEY with least privilege and monitor usage. Do not reuse a high-privilege or multi-service key.
- Review guardrails: ensure approval_mode and per-transaction/daily limits are strict (ask_for_everything or low thresholds) before permitting autonomous purchases.
- If you are unsure about the domain or publisher identity, do not install. Request clarification from the registry owner/maintainer or use a vetted alternative.
功能分析
Type: OpenClaw Skill
Name: mastercard
Version: 1.0.2
The bundle describes a financial enablement platform for AI agents to manage spending and payments via encrypted cards and USDC. It features robust security protocols, such as server-side enforcement of spending limits, single-use decryption keys, and the use of ephemeral sub-agents to isolate sensitive information. The instructions in SKILL.md and ENCRYPTED-CARD.md are transparent about security risks and provide clear guidance on protecting API keys, with no evidence of malicious intent or unauthorized data exfiltration (IOC: creditclaw.com).
能力评估
Purpose & Capability
The skill's files and SKILL.md implement a 'CreditClaw' shopping/checkout integration and correctly require a CREDITCLAW_API_KEY. However the registry-level name/title provided ('MasterCard | Is your claw a shopaholic?') and slug 'mastercard' do not match the content (creditclaw.com, creditclaw-creditcard). This mismatch could be a benign metadata error, but it is an incoherence that deserves verification from the publisher.
Instruction Scope
The runtime instructions direct the agent to: fetch multiple files via curl from https://creditclaw.com, save them under ~/.creditclaw, handle webhooks/messages that deliver encrypted card files, and (critically) run a delivered decrypt.js script (node decrypt.js ...) inside an ephemeral sub-agent or, as an alternative, directly in the main agent. Downloading and executing code delivered at runtime broadens scope beyond simple API calls and can expose decrypted card data to the agent if sub-agents aren't used.
Install Mechanism
There is no formal install spec (instruction-only), but SKILL.md explicitly provides curl commands to download and store multiple skill files. While fetching files from the service domain is expected for this use-case, it results in persistent files on disk and the skill's flow requires executing a decrypt script embedded in a delivered file — a higher-risk pattern than pure instruction-only skills that only call remote APIs.
Credentials
The skill requires a single credential CREDITCLAW_API_KEY and uses it exclusively in examples and endpoints under creditclaw.com/api/v1. The requested env var is proportionate to the payment/checkout functionality described. No unrelated secrets or broad environment access are declared.
Persistence & Privilege
The skill does not request 'always' or elevated platform privileges, but its instructions direct saving files under ~/.creditclaw and .creditclaw/cards and instruct spawning ephemeral sub-agents. This creates persistent artifacts and runtime execution (decrypt.js). That persistence/execution is reasonable for encrypted-card workflows but increases blast radius if the domain or delivered scripts are untrusted.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install mastercard - 安装完成后,直接呼叫该 Skill 的名称或使用
/mastercard触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
- Skill rebranded to "creditclaw-creditcard" with enhanced documentation and a new homepage URL.
- Updated description reflecting support for agentic shopping with multiple guarded payment methods and owner approval.
- Added clear overview of payment rails, including Encrypted Card (live), Stripe Wallet (private beta), and Crossmint Wallet (coming soon).
- Expanded and detailed security section outlining API key handling, owner controls, and server-enforced guardrails.
- Detailed list of available skill guide files and instructions for both online usage and local installation.
- Clarified account approval modes, default safety settings, and multi-rail configuration for agent spending.
元数据
常见问题
MasterCard | Is your claw a shopaholic? 是什么?
Let your agent shop online with guardrailed wallets, multiple payment methods, and owner approval. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 303 次。
如何安装 MasterCard | Is your claw a shopaholic??
在 OpenClaw 或 Claude Code 对话框中运行命令「/install mastercard」即可一键安装,无需额外配置。
MasterCard | Is your claw a shopaholic? 是免费的吗?
是的,MasterCard | Is your claw a shopaholic? 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
MasterCard | Is your claw a shopaholic? 支持哪些平台?
MasterCard | Is your claw a shopaholic? 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 MasterCard | Is your claw a shopaholic??
由 TripleHippo(@triplehippo)开发并维护,当前版本 v1.0.2。
推荐 Skills