← 返回 Skills 市场
Pay With Any Token
作者
samledger67-dotcom
· GitHub ↗
· v1.0.0
· MIT-0
216
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install pay-with-any-token
功能描述
Pay HTTP 402 payment challenges using tokens via the Tempo CLI and Uniswap Trading API. Use when the user encounters a 402 Payment Required response, needs t...
安全使用建议
Before installing or running this skill: 1) Do not export your main/private production wallet key into PRIVATE_KEY. Prefer tempo's browser/passkey login or a hardware wallet; if you must provide keys, use a throwaway wallet with minimal funds. 2) The registry metadata omits required items — the SKILL.md actually needs UNISWAP_API_KEY, PRIVATE_KEY, jq, cast, bc, openssl, node/npm and the tempo CLI. Treat that omission as a red flag. 3) The skill directs you to run an installer script downloaded via curl from tempo.xyz and to npm install packages; only run these if you trust those projects and have reviewed the install script and npm packages. 4) Require explicit user confirmation gates are present in the docs (good), but verify the confirmations happen in your environment (don’t rely on the agent to auto-submit). 5) If you want to proceed: (a) verify the tempo install script contents before running, (b) use a dedicated low-value wallet, (c) restrict/unrotate any API keys you supply, and (d) audit the npm packages (mppx/viem) and any broadcasted transaction calldata before broadcasting. If you cannot or will not follow those mitigations, do not supply a raw private key or run the installer.
功能分析
Type: OpenClaw Skill
Name: pay-with-any-token
Version: 1.0.0
The skill bundle automates complex cryptocurrency swaps, bridging, and HTTP 402 payment fulfillment using the Tempo CLI and Uniswap Trading API. It exhibits high-risk behaviors, including a 'curl|bash' installation pattern for the Tempo CLI (SKILL.md) and the requirement for a plaintext PRIVATE_KEY environment variable to sign transactions and EIP-3009 authorizations (references/credential-construction.md). While the instructions include mandatory user confirmation gates (AskUserQuestion) before any on-chain action, the combination of shell execution, external script fetching from tempo.xyz, and sensitive key handling represents a significant attack surface for potential credential theft or unauthorized fund movement.
能力评估
Purpose & Capability
The SKILL.md behavior (use Tempo CLI, build/submit MPP/x402 credentials, swap and bridge via Uniswap Trading API) is consistent with a 'pay 402' skill: requiring a wallet private key, Uniswap API key, and on-chain tooling is plausible. HOWEVER the package metadata declares no required env vars or binaries while the instructions clearly require many (PRIVATE_KEY, UNISWAP_API_KEY, jq, cast, tempo, npm/node for mppx, openssl, bc). That mismatch is unexpected and reduces trust.
Instruction Scope
The SKILL.md instructs the agent to parse 402 responses, read and set many environment variables, sign EIP-3009/x402 payloads using a PRIVATE_KEY, and perform swaps/bridges and on-chain broadcasts. It also instructs installing and running external CLIs and npm packages. While most actions are within the 'pay a machine' purpose, the instructions access and require sensitive secrets (the private key) and reference env vars and binaries that are not declared in the registry metadata. There are explicit user-confirmation gates, which is good, but the skill still asks to export/use a raw PRIVATE_KEY — a high-sensitivity operation.
Install Mechanism
Although the registry lists no install spec, the SKILL.md tells users/agents to download and run an installer script from https://tempo.xyz/install via curl and to npm install packages (mppx, viem). Running arbitrary install scripts (curl | bash) and pulling npm packages executes external code and writes to disk; these are higher-risk operations and should be clearly declared. The tempo install URL is a project domain (not a GitHub release URL) and the docs also require use of Foundry's 'cast' (not declared).
Credentials
The runtime requires highly sensitive credentials: PRIVATE_KEY (raw signing key) and UNISWAP_API_KEY, plus expects RPC URLs and many environment variables (RESOURCE_URL, TEMPO_RPC_URL, X402_* variables) though none are declared in the registry metadata. Requiring a private key is proportionate to signing transactions, but asking users to set/export a raw PRIVATE_KEY is high-risk and should be minimized (prefer browser wallet / hardware wallet / tempo login). The discrepancy between declared and actually required env vars is a significant coherence problem.
Persistence & Privilege
The skill is instruction-only, has always:false, and does not request permanent presence or modification of other skills. Autonomous invocation is allowed (platform default) but there is no indication the skill modifies system-wide settings or other skills. This dimension is acceptable.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install pay-with-any-token - 安装完成后,直接呼叫该 Skill 的名称或使用
/pay-with-any-token触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release — MPP/x402 HTTP 402 payment flow via Tempo CLI and Uniswap Trading API
元数据
常见问题
Pay With Any Token 是什么?
Pay HTTP 402 payment challenges using tokens via the Tempo CLI and Uniswap Trading API. Use when the user encounters a 402 Payment Required response, needs t... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 216 次。
如何安装 Pay With Any Token?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install pay-with-any-token」即可一键安装,无需额外配置。
Pay With Any Token 是免费的吗?
是的,Pay With Any Token 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Pay With Any Token 支持哪些平台?
Pay With Any Token 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Pay With Any Token?
由 samledger67-dotcom(@samledger67-dotcom)开发并维护,当前版本 v1.0.0。
推荐 Skills