← 返回 Skills 市场
🔌

payment-402

作者 PayNodeLabs · GitHub ↗ · v1.0.1 · MIT-0
cross-platform ⚠ suspicious
170
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install payment-402
功能描述
Access protected APIs and digital resources via the x402 "Payment Required" protocol on Base L2. This skill automates cryptographic handshakes and USDC micro...
安全使用建议
This skill appears to implement the described PayNode x402 flow and uses the PayNode SDK and ethers — that is consistent with its purpose. However: (1) the registry metadata omits the fact that the skill requires a CLIENT_PRIVATE_KEY and Bun even though SKILL.md and the scripts require them; this discrepancy reduces trust and you should ask the publisher to correct the metadata and provide a verifiable source/homepage. (2) The skill requires a private key and will sign and broadcast transactions. Only use a dedicated burner wallet with minimal funds (as the README suggests), and never supply keys for your primary/mainnet wallet. (3) Test thoroughly on the provided sandbox/testnet (Base Sepolia) before any mainnet use. (4) Verify the dependency @paynodelabs/sdk-js is legitimate (check registry/package homepage) to avoid typosquatting. (5) If you need stronger controls, require manual human confirmation for any transaction (do not allow autonomous use) or run the skill in an isolated environment. If you are not comfortable with these risks or the missing provenance, do not install until metadata and source are clarified.
功能分析
Type: OpenClaw Skill Name: payment-402 Version: 1.0.1 The skill enables automated blockchain transactions and private key handling to resolve HTTP 402 'Payment Required' challenges on the Base L2 network. While the code in scripts/request.ts and scripts/utils.ts appears aligned with the stated purpose and includes safety guardrails (e.g., a 2.0 USDC threshold for human approval and burner wallet policies in SKILL.md), the capability to autonomously sign and broadcast financial transactions is a high-risk behavior. No evidence of intentional malice, such as secret exfiltration or backdoors, was detected in the provided files.
能力评估
Purpose & Capability
The SKILL.md and the included scripts clearly require a CLIENT_PRIVATE_KEY and Bun to operate and use @paynodelabs/sdk-js to perform x402 handshakes and on-chain payments — this is coherent with the skill's described purpose. However, the registry metadata at the top of the record says "Required env vars: none" and "Primary credential: none", which contradicts the explicit required_env_vars and primary_credential declared in SKILL.md and used by the code. The source/homepage is also missing, which reduces provenance.
Instruction Scope
The runtime instructions and scripts stick to the payment flow: checking balances, minting test tokens (sandbox), requesting a protected resource and resolving 402 challenges via PayNode. They do not attempt to read unrelated host files or external secrets. However, the skill explicitly requires a private key and allows signing/broadcasting transactions; SKILL.md warns about thresholds and autonomous usage, but that capability is powerful and must be treated carefully.
Install Mechanism
This package is provided as source with a package.json and SKILL.md that instructs 'bun install'. The registry metadata claimed 'No install spec / instruction-only', which is inconsistent. Installing pulls dependencies from npm-like registries (@paynodelabs/sdk-js, ethers, dotenv) — expected for this function but moderate-risk compared to instruction-only skills. No suspicious download URLs or archive extracts were observed.
Credentials
The only secret requested is CLIENT_PRIVATE_KEY, which is necessary to sign payments and therefore proportionate to the stated purpose. The concern is twofold: (1) the registry metadata omitted this requirement (inconsistency), and (2) the skill requires the user to place a raw private key in a .env file — a sensitive practice. The SKILL.md does advise using a burner wallet and sets a human-approval threshold (>2 USDC), but those are guidance rather than enforced platform controls.
Persistence & Privilege
The skill does not request 'always: true' or elevated platform persistence. It can be invoked autonomously (platform default), which combined with the ability to sign and broadcast transactions increases risk, but autonomy itself is normal and expected for skills. There is no evidence the skill modifies other skills or system-wide settings.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install payment-402
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /payment-402 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
payment-402 v1.0.1 - Added formalized security section: autonomous agents must seek approval for payments exceeding 2 USDC and verify new merchants before first payment. - Clarified sandbox-first policy: always test on testnet/sandbox endpoints before using mainnet funds. - Added required_env_vars, required_binaries, primary_credential, and install fields to SKILL.md for improved compatibility and deployment clarity. - Updated security guidelines to highlight autonomous blockchain transaction capability and thresholds for human consent.
v1.0.0
- Initial release of the payment-402 skill for automating pay-per-resource billing using the x402 "Payment Required" protocol on Base L2. - Automates cryptographic handshakes and USDC micro-payments to unlock protected APIs and digital resources. - Includes pre-execution checks for environment, balances, and wallet readiness with explicit security and burner-wallet usage policies. - Provides agents with a clear execution workflow, troubleshooting tips, and strict safety rules to prevent fund loss. - Integrated testing guidance, sandboxing utilities, and links to official documentation and SDK resources.
元数据
Slug payment-402
版本 1.0.1
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 2
常见问题

payment-402 是什么?

Access protected APIs and digital resources via the x402 "Payment Required" protocol on Base L2. This skill automates cryptographic handshakes and USDC micro... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 170 次。

如何安装 payment-402?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install payment-402」即可一键安装,无需额外配置。

payment-402 是免费的吗?

是的,payment-402 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

payment-402 支持哪些平台?

payment-402 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 payment-402?

由 PayNodeLabs(@paynodelabs)开发并维护,当前版本 v1.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论