← 返回 Skills 市场

Pay Bills

Name: Pay Bills
Author: h1rdr3v2

作者 DevEze · GitHub ↗ · v0.0.5

cross-platform ⚠ suspicious

769

总下载

当前安装

版本数

在 OpenClaw 中安装

/install pay-bills

功能描述

Purchase data, airtime, and digital products for Nigerian phone numbers instantly using wallet balance with network and plan validation.

安全使用建议

Things to check before installing: - Ensure Node.js is available in the runtime environment (SKILL.md requires running node scripts; metadata incorrectly lists no required binaries). - Verify the external API host (https://lodu.bleon.net/v1) is legitimate and operated by the payment provider you expect — the skill's source/homepage are unknown. - Be aware the skill saves a plaintext session token to .session_token inside the skill directory; consider whether that file could be accessed by other users/processes. If you proceed, restrict file permissions or modify the workflow to use a secure secret store. - Confirm you are comfortable with the agent sending phone numbers, OTPs/PINs, and wallet-related requests to the external API. - Ask the author to update metadata to declare 'node' as a required binary and to document where the token is stored (and preferably offer a secure storage alternative). - If you cannot validate the endpoint and author, avoid installing or only test in an isolated environment.

功能分析

Type: OpenClaw Skill Name: pay-bills Version: 0.0.5 The skill is classified as suspicious due to its use of local command execution and file system operations to manage sensitive session tokens. The `SKILL.md` instructs the AI agent to execute Node.js scripts (`generate-device-id.js`, `generate-order-id.js`, `session-token.js`) directly. While these scripts appear functional for the skill's stated purpose (managing API interactions and session state by writing to/reading from `.session_token` in the skill's directory), the capability to execute local commands and perform file I/O with sensitive data (session tokens) introduces a risk. If the OpenClaw agent's execution environment or argument sanitization is flawed, this could lead to shell injection or unauthorized access to the stored session token by other skills, even though no explicit malicious intent (like data exfiltration to arbitrary endpoints or backdoor installation) is observed in the provided code.

能力评估

ℹ Purpose & Capability

The name, description, and SKILL.md all describe a bills/data/airtime purchasing integration and the included scripts (order-id, device-id, session-token) are coherent with that purpose. However, the runtime instructions require running Node.js scripts but the skill metadata lists no required binaries — this is an inconsistency in packaging that may break runtime behavior or mask expectations about what the agent will execute.

ℹ Instruction Scope

Instructions explicitly tell the agent/operator to call external API endpoints at https://lodu.bleon.net/v1 and to run local Node.js scripts that generate IDs and persist/load a session token file (.session_token). The SKILL.md does not instruct reading unrelated files or environment variables. The primary scope creep concerns are: (1) the skill will transmit phone numbers, PINs/OTP flows, and a sessionToken to an external endpoint (which is expected for this functionality but should be verified), and (2) it writes and reads a plaintext token file in the skill directory — a sensitive local artifact.

✓ Install Mechanism

There is no install spec (instruction-only plus small helper scripts). That minimizes supply-chain installation risk. The included JS files are short, readable, and not obfuscated. No downloads, package installs, or archive extraction are performed by the skill.

ℹ Credentials

The skill declares no required environment variables or credentials, which aligns with using a session token flow. However, it persists the session token to a plaintext file (.session_token) in the skill directory; this is sensitive and could be readable by other processes or users on the same host. Also, the metadata omission of 'node' as a required binary is disproportionate to the runtime instructions that rely on Node.js.

✓ Persistence & Privilege

The skill is not force-installed (always:false) and does not request system-wide configuration changes. It simply reads/writes a token file within its own directory and does not modify other skills or system-wide settings.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install pay-bills
安装完成后，直接呼叫该 Skill 的名称或使用 /pay-bills 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.0.5

- Adds support for notification preference management. - Updated device ID generation: now accepts an optional `userId` and uses format `openclaw_<userId>`. - Updated documentation for notification preferences (view and update). - Clarified and updated helper script instructions for device ID management after login.

v0.0.4

No changes detected in code or documentation. - Version 0.0.4 released with no file or documentation updates.

v0.0.3

- Added support for user-saved contacts: create, edit, delete, and search by name or phone number. - New endpoints and usage guidance for managing saved contacts and integrating contact lookups into purchase flows. - No code changes detected; documentation updated to reflect new saved contacts features.

v0.0.2

**Major update: local helper scripts for device ID, order ID, and session token management added.** - Added three helper scripts: generate-device-id.js, generate-order-id.js, and session-token.js for ID generation and local session token management. - SKILL.md updated with detailed instructions on running helper scripts for `trx_id`, persistent device IDs, and session authentication. - The new scripts support local workflow automation: generate unique order IDs, persist/reuse device IDs per user, and save/load/clear session tokens. - Auth flow instructions now include when and how to use the new scripts. - Emphasizes never hardcoding IDs and always using helper commands before key operations.

v0.0.1

Initial release of pay-bills using the CreditWithBleon API: - Supports purchasing data, airtime, and digital products for Nigerian phone numbers via wallet balance. - Implements full authentication and onboarding flow, including PIN and OTP handling. - Normalizes phone numbers and predicts network using API (no hardcoding). - Fetches live products, plans, and network lists for accurate, up-to-date purchases. - Checks wallet balance before transactions and provides deposit suggestions if funds are insufficient. - Tracks order statuses and recent transactions for re-orders and convenience. - Ensures strict compliance with network/plan statuses, and enforces all API key rules.

元数据

Slug pay-bills

版本 0.0.5

许可证 —

累计安装 0

当前安装数 0

历史版本数 5

常见问题

Pay Bills 是什么？

Purchase data, airtime, and digital products for Nigerian phone numbers instantly using wallet balance with network and plan validation. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 769 次。

如何安装 Pay Bills？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install pay-bills」即可一键安装，无需额外配置。

Pay Bills 是免费的吗？

是的，Pay Bills 完全免费（开源免费），可自由下载、安装和使用。

Pay Bills 支持哪些平台？

Pay Bills 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Pay Bills？

由 DevEze（@h1rdr3v2）开发并维护，当前版本 v0.0.5。