← 返回 Skills 市场

Near Getpay - Accept crypto payments with payment page using PingPay or HOT PAY

Name: Near Getpay - Accept crypto payments with payment page using PingPay or HOT PAY
Author: cuongdcdev

作者 Cuong DC · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

664

总下载

当前安装

版本数

在 OpenClaw 中安装

/install near-getpay

功能描述

Accept crypto payments (NEAR, USDC, USDT) via a beautiful payment page with PingPay or HOT PAY integration.

安全使用建议

What to consider before installing: - Secrets: Do NOT paste API keys or private keys directly into chat with an agent. Prefer adding them to the skill's .env file on your machine and keep the file local (gitignored). The SKILL.md example encourages pasting keys into chat — avoid that. - Required binaries: The runtime spawns 'npx', 'ts-node' and an 'ssh' reverse tunnel (localhost.run). Make sure those binaries are present and that you're comfortable exposing a local port via an external tunnel. - Sensitive keys: The skill may require PINGPAY_API_KEY and (for automated on-chain payments) NEAR account credentials/private key. Only give the minimum-permission API key and consider creating a test key or account. - Public exposure: The start script opens a public URL to your local server. Run this only from a machine you control and consider using a paid/protected tunnel (ngrok/Cloudflare Tunnel) rather than an ephemeral ssh tunnel if you need production stability. - Cross-skill import: The orchestrator dynamically imports '../near-intents' and calls executeIntent for swaps/bridges. If you intend to use that functionality, inspect the near-intents code (and keep private keys secure). If you don't need on-chain automation, limit configuration to PingPay/HOT PAY checkout-only flows. - Verify claims: Inspect .env.example, server code, and PingPay/HOT PAY integration endpoints to confirm behavior matches your expectations before running. If you want to be cautious, run the server in an isolated environment (container or VM) and do an npm install offline review of dependencies. If you want, I can: (a) point out the exact lines where secrets are read or sent, (b) show a safe workflow for running this skill without exposing secrets to chat, or (c) produce a checklist for running it in a sandbox/container.

功能分析

Type: OpenClaw Skill Name: near-getpay Version: 1.0.0 The skill is classified as suspicious due to several security vulnerabilities and risky practices, despite its stated benign purpose of creating a crypto payment page. Key indicators include the `start-tunnel.ts` script disabling SSH host key checking (`-o StrictHostKeyChecking=no`), which makes the public tunnel vulnerable to man-in-the-middle attacks. Additionally, the `SKILL.md` and `README.md` documentation recommend generating SSH keys without a passphrase (`-N ""`) for `localhost.run` troubleshooting, which is a security weakness. Furthermore, the `server-simple.ts` file is vulnerable to self-XSS if the `RECIPIENT_ADDRESS` environment variable contains malicious HTML/JavaScript. While the `index.ts` file handles sensitive crypto transactions requiring a NEAR private key, this is for programmatic invoice *payment* (not the public payment page) and is explicitly documented, indicating a high-risk capability rather than direct malice.

能力评估

ℹ Purpose & Capability

The code implements a hosted payment page, PingPay client, and an orchestrator for on-chain swaps/bridges; these align with the stated purpose. However the skill also exposes functions that call a separate 'near-intents' module to perform swaps/bridges (index.ts/payment-orchestrator), which is more than a simple static checkout page — this is plausible but broader than the minimal 'payment page' claim.

⚠ Instruction Scope

SKILL.md instructs the agent to ask users to "share" API keys in chat or add them to .env. Having the agent solicit secrets over chat is risky and not limited in the instructions. The runtime steps create a public tunnel (ssh to localhost.run) and run local code (npx/ts-node) — these are expected for exposing a page but mean a local service will be exposed externally. The skill also dynamically imports a '../near-intents' module and calls executeIntent, giving it the ability to run cross-skill/local code for on-chain actions.

ℹ Install Mechanism

There is no formal install spec in the registry (instruction-only), but the package includes package.json and expects npm install and npx/ts-node. All dependencies come from npm (common packages). No remote downloads or obscure URLs were found. However required binaries like 'ssh' and 'npx'/'ts-node' are used but not declared in the top-level registry metadata, which is inconsistent.

⚠ Credentials

The top-level registry metadata reported 'no required env vars', but skill.json and the code expect RECIPIENT_ADDRESS, PAYMENT_PROVIDER and (in practice) PINGPAY_API_KEY and HOTPAY item IDs; index.ts and usage text also reference NEAR_ACCOUNT_ID and NEAR_PRIVATE_KEY for on-chain payments. Sensitive credentials (PingPay API key, potentially NEAR private key) are required for full functionality; these are proportionate for payment operations but the skill's metadata and SKILL.md are inconsistent about which variables are required and the SKILL.md explicitly encourages pasting keys into chat, increasing exfiltration risk.

✓ Persistence & Privilege

The skill does not request permanent platform-wide presence (always:false) and does not modify other skills' configurations. It does import a ../near-intents module if available which could invoke other skill logic, but the skill itself does not persist beyond running the local server and tunnel.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install near-getpay
安装完成后，直接呼叫该 Skill 的名称或使用 /near-getpay 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of near-getpay: simple crypto payment pages with NEAR, USDC, and USDT support. - Accept crypto payments via a hosted, mobile-friendly payment page. - Integrates with PingPay or HOT PAY for checkout and processing. - Allows configuration of payment tokens (NEAR, USDC, USDT) and provider selection. - Easy onboarding with setup wizard and public link via localhost.run tunnel. - Smart token selection and amount presets for a smooth user experience. - Documentation includes installation, configuration, customization, troubleshooting, and sharing instructions.

元数据

Slug near-getpay

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题

Near Getpay - Accept crypto payments with payment page using PingPay or HOT PAY 是什么？

Accept crypto payments (NEAR, USDC, USDT) via a beautiful payment page with PingPay or HOT PAY integration. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 664 次。

如何安装 Near Getpay - Accept crypto payments with payment page using PingPay or HOT PAY？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install near-getpay」即可一键安装，无需额外配置。

Near Getpay - Accept crypto payments with payment page using PingPay or HOT PAY 是免费的吗？

是的，Near Getpay - Accept crypto payments with payment page using PingPay or HOT PAY 完全免费（开源免费），可自由下载、安装和使用。

Near Getpay - Accept crypto payments with payment page using PingPay or HOT PAY 支持哪些平台？

Near Getpay - Accept crypto payments with payment page using PingPay or HOT PAY 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Near Getpay - Accept crypto payments with payment page using PingPay or HOT PAY？

由 Cuong DC（@cuongdcdev）开发并维护，当前版本 v1.0.0。