← 返回 Skills 市场
Payclaw
作者
rojasjuniore
· GitHub ↗
· v1.0.0
1052
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install payclaw
功能描述
Agent-to-Agent USDC payments. Create wallets, send/receive payments, escrow between agents. Built for the USDC Hackathon on Moltbook.
安全使用建议
This skill is a CLI wrapper around an external 'circle-wallet' tool and expects you to provide a Circle API key (it stores that key in ~/.openclaw/payclaw/config.json). Before installing: (1) verify you trust the author/repository (the registry metadata lacks a homepage but SKILL.md points to a GitHub repo); (2) ensure you intend to install and run the external 'circle-wallet' binary that this code invokes; (3) be aware the CLI constructs shell commands by interpolating user-supplied values into execSync(`circle-wallet ${cmd}`) — inputs are not sanitized, so malicious or malformed addresses/arguments could cause command injection on your machine; (4) note the SKILL.md shows a programmatic import (PayClaw class) that is not present in the provided code — the only delivered artifact is a CLI; (5) if you proceed, consider running it in a restricted environment (container/VM) and inspect or modify the code to sanitize inputs (avoid passing raw user strings into shell commands) and confirm where the Circle key is stored and that it's acceptable to you. If you don't trust the source or cannot verify the external 'circle-wallet' binary, treat this skill as risky.
功能分析
Type: OpenClaw Skill
Name: payclaw
Version: 1.0.0
The skill is classified as suspicious due to its reliance on `child_process.execSync` in `src/cli.ts` to execute an external `circle-wallet` CLI tool. While this is plausibly needed for its stated purpose of USDC payments and wallet management, it introduces a significant attack surface. The security of the skill heavily depends on the integrity and security of the `circle-wallet` binary, which is not bundled with the skill. Additionally, the `SKILL.md` installation instructions include `npm link`, which grants broad permissions by creating symlinks in global or local `node_modules`, an action typically reserved for development and not ideal for production installations.
能力评估
Purpose & Capability
The code implements a CLI that delegates work to an external 'circle-wallet' command and stores a Circle API key in ~/.openclaw/payclaw/config.json. However, the skill metadata declares no required binaries, no credentials, and no config paths — those are required in practice. Also the SKILL.md suggests importing a PayClaw class from 'payclaw' for programmatic agent integration, but the distributed code is only a CLI (no exported library API). These mismatches mean the declared purpose is plausible but the manifest omits key requirements and the integration example is inaccurate.
Instruction Scope
The runtime instructions and code tell the agent/user to: install/build/link the package, run 'payclaw setup --api-key YOUR_CIRCLE_API_KEY' (so an API key is required), create wallets, register agents, and run payments. The implementation executes shell commands via execSync(`circle-wallet ${cmd}`) with user-provided inputs (addresses, amounts, arbitrary command fragments) and writes/reads files under ~/.openclaw/payclaw (config.json, escrows.json, agents.json, history.json). There is no input sanitization for values interpolated into the shell call, creating command‑injection risk. The SKILL.md and package manifest do not declare the required HOME config path access or the need for the external 'circle-wallet' binary.
Install Mechanism
There is no remote download/install spec in the registry (the skill is instruction-only), but the package includes full source and a built CLI. Install instructions in SKILL.md use npm install && npm run build && npm link — a typical local install that will place files on disk. No suspicious external URLs or archives are used in the install flow.
Credentials
The skill does require a Circle API key (SKILL.md shows payclaw setup --api-key) but the registry metadata lists no required environment variables or primary credential. The code instead persists the API key to ~/.openclaw/payclaw/config.json (file mode 600 is applied). The skill also relies on a 'circle-wallet' binary (not declared). The absence of declared credentials/binaries in the metadata is a coherence issue and could mislead users about what sensitive values the skill needs.
Persistence & Privilege
The skill writes its own config and data into ~/.openclaw/payclaw and does not request always:true or other elevated privileges. It does not modify other skills' configurations. Autonomous invocation is allowed by platform default, which is expected; no additional persistence privileges are requested.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install payclaw - 安装完成后,直接呼叫该 Skill 的名称或使用
/payclaw触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release
元数据
常见问题
Payclaw 是什么?
Agent-to-Agent USDC payments. Create wallets, send/receive payments, escrow between agents. Built for the USDC Hackathon on Moltbook. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1052 次。
如何安装 Payclaw?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install payclaw」即可一键安装,无需额外配置。
Payclaw 是免费的吗?
是的,Payclaw 完全免费(开源免费),可自由下载、安装和使用。
Payclaw 支持哪些平台?
Payclaw 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Payclaw?
由 rojasjuniore(@rojasjuniore)开发并维护,当前版本 v1.0.0。
推荐 Skills