← 返回 Skills 市场

🔌

paynode-402

Name: paynode-402
Author: paynodelabs

作者 PayNodeLabs · GitHub ↗ · v2.7.5 · MIT-0

cross-platform ⚠ suspicious

250

总下载

当前安装

版本数

在 OpenClaw 中安装

/install paynode-402

功能描述

Dynamic Premium API Marketplace for AI Agents. Grants access to an ever-expanding registry of real-time external tools (e.g., web search, crypto oracles, web...

安全使用建议

This skill is internally coherent for its stated purpose, but it requires a highly sensitive private key that can sign on-chain payments. Before installing: (1) Never supply a long-term or high-value private key — use a burner wallet with minimal funds. (2) Verify or pin the CLI package source (git clone and local build or pin @paynodelabs/paynode-402-cli@<VERSION>) before running in production. (3) Inspect ~/.config/paynode/config.json if present and remove any non-burner keys. (4) Ensure your agent platform enforces interactive confirmation for any mainnet spend (or set disable-model-invocation if you cannot enforce confirmations). (5) Prefer testnet/network=testnet for initial trials and audit the published npm/GitHub package if you plan to use this in a production flow. The scanner found no code files in the skill bundle (instruction-only), but that does not replace auditing the external CLI package referenced in SKILL.md.

功能分析

Type: OpenClaw Skill Name: paynode-402 Version: 2.7.5 The skill is classified as suspicious due to its requirement for a `CLIENT_PRIVATE_KEY` and its reliance on `bunx` to execute remote code from `@paynodelabs/paynode-402-cli`, which poses significant supply-chain and credential theft risks. Furthermore, `SKILL.md` contains instructions that steer the AI agent to prioritize this paid service over its internal knowledge, potentially leading to unexpected financial transactions. The future-dated `publishedAt` timestamp in `_meta.json` (April 2026) is an additional anomaly that suggests non-standard publishing practices.

能力标签

cryptorequires-walletcan-make-purchasescan-sign-transactionsrequires-sensitive-credentials

能力评估

✓ Purpose & Capability

Name/description (paid API marketplace) align with the declared requirements: the CLI examples use bunx, the skill requires the bun binary, and it needs a CLIENT_PRIVATE_KEY to sign on-chain payments. The config fallback (~/.config/paynode/config.json) is consistent with the described behavior. No unrelated credentials or binaries are requested.

ℹ Instruction Scope

SKILL.md is instruction-only and contains concrete bunx commands and safety rules (prompt user before mainnet spending, use burner wallets, fetch get-api-detail before invoking). It also instructs the agent to read CLIENT_PRIVATE_KEY from env or fallback config — this is within scope but sensitive. The skill explicitly requires user confirmation for spending, which reduces surprising autonomous behavior if the agent follows these rules.

✓ Install Mechanism

No install spec; instruction-only skill (no code files). This means nothing is fetched or written by an automated installer at install time, which lowers supply-chain risk. SKILL.md references an external CLI package (bunx @paynodelabs/...), but no automatic download/install is declared in the skill metadata.

ℹ Credentials

Only one required credential (CLIENT_PRIVATE_KEY) is declared, which is proportionate to a wallet-signing CLI. However, this is a high-value secret (a private key). The fallback to a local config file increases the ways the secret can be present on disk. The SKILL.md itself warns to use burner keys and to verify config contents — appropriate but places responsibility on the user/operator.

ℹ Persistence & Privilege

always:false (good). disable-model-invocation:false (normal default), meaning the agent could invoke the skill autonomously; combined with a live CLIENT_PRIVATE_KEY this increases blast radius if the agent/platform does not enforce the SKILL.md's explicit prompt/confirm requirement. The skill does not request modification of other skills or system-wide config.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install paynode-402
安装完成后，直接呼叫该 Skill 的名称或使用 /paynode-402 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v2.7.5

- Version bump from 2.7.4 to 2.7.5. - To use v2.7.2 cli version. - No file changes detected; internal version update only.

v2.7.4

Version 2.7.4 - Documentation updated to clarify that the "clarify" tool must be used to explicitly ask humans for permission before executing paid API commands on mainnet. - No changes to functionality or code; the update is documentation-only. - Reinforces the requirement for user confirmation before spending real USDC on mainnet.

v2.7.3

- Updated homepage field location in metadata for improved consistency. - Clarified use of --confirm-mainnet flag for all mainnet operations, including read-only commands. - Enhanced mainnet safety messaging: explicit user approval is now required for any action potentially spending real USDC. - Revised Quick Start and Command Reference sections to reflect flag usage and provide clearer command examples. - No code changes; documentation and metadata improvements only.

v2.7.2

Version 2.7.2 - Improved documentation of supply chain, auditability, and open source verifiability for PayNode CLI and dependencies. - Added guidance for locked/pinned CLI versions and instructions for strict local installs. - Revised quick start and troubleshooting sections for greater clarity and user onboarding. - No functional or CLI interface changes; update focuses on usability and documentation detail.

v2.7.1

- Added a new critical security rule: "Financial Optimization (CRITICAL)" — agents must avoid calling paid APIs multiple times for the same context and should store responses locally to minimize USDC usage. - Clarified that responses should be piped to a temporary file and parsed locally to save costs. - No code or CLI command changes; documentation and governance updates only.

v2.7.0

v2.7.0 is a major update refocusing the skill as a dynamic premium API marketplace for AI Agents. - Expanded description: emphasizes dynamic marketplace, real-time API access, and agent usage guidance. - New security warning section: clearer safety practices, supply chain advice, and testnet-first guidance. - Improved governance: updates protocol for agents, disables internal logs in JSON mode, clarifies input schema/sample response requirements. - Enhanced usage instructions: mandates marketplace discovery before error or fallback, encourages always checking available APIs for real-time or external data needs. - Updated resource and workflow documentation; CLI command table improved for agent clarity.

v2.6.0

**Security governance requirements are now stricter; mainnet operations must always prompt for explicit YES confirmation and enforce burner wallet usage.** - Security section updated: stricter language, "Critical" priority, and emphasis on burner wallet-only policy. - YES-confirmation workflow for mainnet payments now explicitly mandatory. - Only read local file paths created during the current request/session. - Initial marketplace indexing on cold start is now described as a required outbound request. - Minor clarifications and stronger enforcement language throughout documentation.

v2.5.2

- Updated environment and config instructions: Now supports environment variable and XDG config file for managing CLIENT_PRIVATE_KEY. - Added mandatory security protocols to comply with ClawHub Safety Standards. - Mainnet usage now requires explicit user confirmation before making payments. - Agent workflow clarified: must always fetch API details before invocation; never guess parameters. - Revised and streamlined documentation; project home now points directly to GitHub. - No file or logic changes detected, only changes in documentation and metadata.

v2.5.1

- Migrated skill to a standalone CLI tool; all scripts and the SDK are now external dependencies. - All internal source files and helper scripts removed—use `bunx @paynodelabs/paynode-402-cli` for all operations. - Updated skill documentation and command references for the CLI-based workflow. - Improved agent safety and best practices, including required discovery commands and explicit usage notes. - All environment variables and binary requirements clarified for stateless, up-to-date usage.

v2.4.0

- Updated PayNode Protocol to v2.2.3. - Bumped skill version to 2.4.0. - Updated CLI output and documentation examples to reflect new version numbers. - No code changes detected; documentation refresh only.

v2.3.0

**v2.3.0 is a major update focused on enhanced security and flexibility for environment variable management.** - All critical configuration now uses system environment variables or CLI flags, eliminating reliance on plaintext `.env` files. - Added new optional environment variables for advanced control: `PAYNODE_MARKET_URL`, `PAYNODE_RPC_URL`, `PAYNODE_RPC_TIMEOUT`, `PAYNODE_TASK_DIR`, `PAYNODE_MAX_AGE`. - Updated documentation with setup instructions for securely configuring `CLIENT_PRIVATE_KEY` across Linux, macOS, and Windows environments. - Reflects version bumps in expected outputs and instructions. - General improvements for operational safety and agent compatibility.

v2.2.4

## paynode-402 v2.2.4 changelog - Updated all user-facing CLI output and documentation to display the current skill version as 2.2.4. - Added explicit skill_version and sdk_version fields to JSON outputs and documentation examples for improved clarity. - Minor documentation edits to CLI usage for consistency and accuracy.

v2.2.3

paynode-402 v2.2.3 - Aligns documentation to match current environment variable and flag support, reflecting the actual implementation. - Removes reference to the optional PAYNODE_MARKETPLACE_URL environment variable for improved accuracy. - No changes to source code or functionality; documentation updates only.

v2.2.2

Marketplace integration and new commands for paid API discovery (version 2.2.2): - Added marketplace client and types for discovering and inspecting paid APIs. - Introduced new CLI commands: list-paid-apis, get-api-detail, and invoke-paid-api. - Added scripts for marketplace interactions. - SKILL.md updated with usage docs for the marketplace flow. - Removed references/TESTING.md.

v1.0.1

- Updated protocol version from 2.2.0 to 2.2.1 throughout documentation. - Example outputs and configuration now reflect version 2.2.1. - No other user-facing changes noted.

v1.0.0

Initial release of paynode-402 skill for x402-v2 resource-based API billing on Base L2. - Automates access to protected APIs using PayNode Protocol v2.2.0, supporting both on-chain and EIP-3009 payment methods. - Requires Bun (v1.0+) and a dedicated CLIENT_PRIVATE_KEY (burner wallet); warns strongly against using any primary or non-burner wallets. - CLI provides commands for checking balances, minting test USDC, and performing automated payments and API unlocks. - Supports async/background execution for agent workflows, including result polling and auto-cleanup of task files. - Handles JSON, text, and binary API responses; includes detailed flag-based configuration for testnet/mainnet safety. - Focuses on strong agent safety rules and minimal exposure of private credentials.

元数据

Slug paynode-402

版本 2.7.5

许可证 MIT-0

累计安装 1

当前安装数 1

历史版本数 16

常见问题

paynode-402 是什么？

Dynamic Premium API Marketplace for AI Agents. Grants access to an ever-expanding registry of real-time external tools (e.g., web search, crypto oracles, web... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 250 次。

如何安装 paynode-402？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install paynode-402」即可一键安装，无需额外配置。

paynode-402 是免费的吗？

是的，paynode-402 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

paynode-402 支持哪些平台？

paynode-402 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 paynode-402？

由 PayNodeLabs（@paynodelabs）开发并维护，当前版本 v2.7.5。