← 返回 Skills 市场
Okx 402 Payment
作者
ok-james-01
· GitHub ↗
· v2.6.0
· MIT-0
154
总下载
0
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install okx-x402-payment
功能描述
Sign an x402 payment authorization for an EXTERNAL / third-party payment-gated resource. Use only when the user explicitly mentions 'x402' (or 'sign x402 pay...
安全使用建议
This skill implements x402 payment signing and appears to do that end-to-end, but there are important questions you should resolve before using it:
- The SKILL.md calls the onchainos CLI but the skill metadata does not list onchainos as a required binary. Verify that the onchainos CLI is present, trusted, and that you understand which binary will be executed.
- The instructions tell the agent to read ../okx-agentic-wallet/_shared/preflight.md (or _shared/preflight.md). Inspect that referenced file first — it could contain sensitive instructions or references to other credentials. A skill should not need to read sibling-skill files without explicit justification.
- The skill supports 'local signing with a private key'. Never paste or send your raw private keys unless you fully trust the skill and the execution environment. Prefer TEE/hardware-wallet signing via a wallet session rather than providing key material directly.
- Ask the publisher (or inspect the full SKILL.md) to: (a) explicitly declare required binaries (onchainos), (b) explain how wallet sessions are initiated and authorized, and (c) show the exact prompts used if the skill requests private keys or other secrets at runtime.
If the publisher updates the metadata to declare onchainos as a required binary and confirms the referenced preflight file contains only benign helper text (no secret access), and if the skill never requests raw private keys (or clearly documents a secure input flow), this assessment could move toward benign. Until then, treat the skill with caution and do not supply private keys or global credentials.
功能分析
Type: OpenClaw Skill
Name: okx-x402-payment
Version: 2.6.0
The skill bundle contains instructions in SKILL.md that direct the AI agent to perform high-risk operations, specifically reading sensitive credentials (EVM_PRIVATE_KEY) from a local configuration file (~/.onchainos/.env). Furthermore, the operational flow involves taking potentially untrusted JSON payloads from external HTTP 402 responses and passing them directly into shell commands (e.g., onchainos payment x402-pay --accepts '...'), which creates a significant risk of shell injection or command manipulation. While these capabilities are aligned with the stated purpose of facilitating x402 payments, the handling of raw private keys and the lack of explicit sanitization for shell-bound data are meaningful high-risk behaviors.
能力标签
能力评估
Purpose & Capability
The SKILL.md repeatedly instructs the agent to call the onchainos CLI (e.g., onchainos payment x402-pay, onchainos payment eip3009-sign) and to perform wallet-based signing. However the skill metadata declares no required binaries or runtime dependencies. A skill that relies on a specific CLI should declare that requirement; the absence is an incoherence that could mislead users about what will actually run.
Instruction Scope
The instructions tell the agent to read an external preflight file at ../okx-agentic-wallet/_shared/preflight.md (or _shared/preflight.md) before running. Asking the agent to read sibling-skill files or files outside its own bundle is scope creep and may expose unrelated configuration or secrets. The skill also supports 'local signing with user's private key' — which implies collecting sensitive secrets at runtime even though no env vars or secure input channels are declared.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so there is no installer-based risk. Nothing will be written to disk by an install step. Risk arises from runtime actions, not installation.
Credentials
No environment variables, credentials, or config paths are declared in the registry metadata. Yet the operation modes (TEE wallet session or local private-key signing) implicitly require access to wallet sessions or private keys. The skill does not declare how private keys or wallet sessions are obtained, stored, or protected; that gap is disproportionate and should be clarified.
Persistence & Privilege
The skill is not force-included (always: false) and allows normal autonomous invocation. It does not request persistent platform privileges in the metadata. No red flags in persistence/privilege beyond the other issues noted.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install okx-x402-payment - 安装完成后,直接呼叫该 Skill 的名称或使用
/okx-x402-payment触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.6.0
**Summary:** This release refocuses the skill to handle only explicit third-party x402 payment requests and clarifies routing rules.
- Restricts usage to external/third-party x402 payment-gated resources only.
- Updates the description to emphasize explicit user intent ("x402" mention for non-onchainos URLs).
- Adds detailed skill routing table—redirects all onchainos and Market API-related intents to specialized skills.
- Removes all guidance for built-in/onchainos x402 flows from this skill.
- Keeps payment protocol, chain/network info, and operational flow unchanged.
v2.4.0
Version 2.4.0
- Updated the metadata version to 2.4.0.
- No changes to code or instruction content.
- All core usage flows, warnings, and examples remain unchanged.
- No file or schema changes detected in this update.
v2.2.10
No file changes detected.
- Version metadata updated from 2.2.7 to 2.2.10
- No functional or documentation changes in this release
v2.2.7
okx-x402-payment v2.2.7
- Updated SKILL.md with detailed usage instructions, protocol background, and command index for the x402 payment authorization process.
- Clarified support for EVM-compatible chains only, with CAIP-2 network identifiers.
- Added step-by-step operational flow: initial request, 402 payload extraction, user confirmation prompt, and security reminders.
- Emphasized the requirement for explicit user confirmation before initiating wallet checks or signing operations.
- Provided clear routing guidance for related wallet, swap, security, and transaction functions.
元数据
常见问题
Okx 402 Payment 是什么?
Sign an x402 payment authorization for an EXTERNAL / third-party payment-gated resource. Use only when the user explicitly mentions 'x402' (or 'sign x402 pay... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 154 次。
如何安装 Okx 402 Payment?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install okx-x402-payment」即可一键安装,无需额外配置。
Okx 402 Payment 是免费的吗?
是的,Okx 402 Payment 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Okx 402 Payment 支持哪些平台?
Okx 402 Payment 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Okx 402 Payment?
由 ok-james-01(@ok-james-01)开发并维护,当前版本 v2.6.0。
推荐 Skills