Pearl

Name: Pearl
Author: misteeka

功能描述

Stripe for AI agents — one wallet for all paid skills. If you installed a skill that requires Pearl (check its SKILL.md), you MUST set up Pearl first: run no...

安全使用建议

This skill appears internally consistent with its description. Notes and suggested checks before installing: - The client stores two tokens in ~/.pearl/config.json (mode 0600). Do not share that file. The read_token is used only with pearlcash.ai; the skill_token is intentionally sent to third-party skill servers to identify your user for billing. - The worst-case misuse of a leaked skill_token (per the author) is exposure of your Pearl user ID and potentially creation of pending charges; it cannot read your balance or approve charges. However, a malicious skill server could attempt social engineering or create many pending charges, so only enable Pearl-powered skills from developers you trust. - Verify the domain https://pearlcash.ai is legitimate to you (homepage provided). If you have concerns, inspect scripts/setup.js and scripts/run.js (they are included) before running them. - npm install is suggested but package.json lists no dependencies; running npm install in the skill directory is low risk. If you prefer, inspect the files (they are small, bundled here) and run only the specific scripts you trust. - Overall: coherent and proportionate. If you need higher assurance, confirm the Pearl service, check TLS cert for pearlcash.ai, and run the setup flow only when you can observe the login on a device you control.

功能分析

Type: OpenClaw Skill Name: pearl Version: 0.0.14 The Pearl skill bundle implements a payment gateway for AI agents with a security-conscious design. It uses scoped tokens (read-only vs. skill-specific), enforces HTTPS and domain-only URLs in scripts/run.js to prevent SSRF, and sets strict file permissions (0600) for local credential storage in ~/.pearl/config.json. The behavior is transparently documented and aligns with its stated purpose as a payment mediator between users and third-party skill providers.

能力评估

✓ Purpose & Capability

Name/description (payments for AI agents) align with the code and SKILL.md. The scripts implement a one-time setup, local config storage (~/.pearl/config.json), read-only balance/transactions calls using read_token, and a run() helper that sends a limited skill_token to skill servers. Required binary 'node' is appropriate.

✓ Instruction Scope

SKILL.md only instructs running the included node scripts (setup, balance, transactions) and npm install. It documents what is stored and what is sent to third parties. The runtime instructions do not ask the agent to access unrelated files, environment variables, or endpoints.

ℹ Install Mechanism

There is no registry install spec in the skill bundle itself, but _meta.json includes a postinstall entry and SKILL.md tells users to run npm install --prefix {baseDir}. package.json lists no external dependencies, so npm install is low risk. No downloads from unknown URLs or archive extraction are used.

✓ Credentials

The skill requests no environment variables or external credentials. It stores tokens locally at ~/.pearl/config.json with file mode 0600. The separation of read_token (only for Pearl API) and skill_token (explicitly intended to be sent to skill provider servers) matches the documented design.

✓ Persistence & Privilege

always is false and the skill does not request persistent platform-wide privileges. It writes only to its own directory (~/.pearl) and does not modify other skills or system-wide agent settings.

版本历史

v0.0.14

- Credential storage now uses a read-only API token (`read_token`) instead of a full-privilege token. - Updated documentation to clarify that the read-only token (JWT audience `pearl-read`) cannot be used for write or mutating actions; only read operations are allowed (API returns 403 otherwise). - Adjusted security section to highlight that no full-access API token is stored or used in agent scripts—only the read-only and skill-scoped tokens are present. - Updated table and explanations throughout to reflect these changes, improving clarity and user safety.

v0.0.13

- Updated API and dashboard URL references from emalakai.com to pearlcash.ai. - Changed metadata homepage to https://pearlcash.ai. - No new features or functional changes; documentation only update to reflect new domain.

v0.0.12

- SKILL.md now features a much shorter description for easier onboarding and installation guidance. - Clarified installation steps: Users are directly instructed to run setup and verification scripts before using Pearl-powered skills. - Removed the long "read_when" YAML block to streamline metadata. - Metadata description is now concise; less marketing and more actionable instructions. - All technical details and security explanations remain in the main documentation section. - No code or functional changes; documentation only.

v0.0.11

Minor

v0.0.10

Version 0.0.10 - Improved setup instructions: clarifies the need to install Node.js dependencies before running setup. - Added a quick pre-setup check for existing Pearl configuration to avoid redundant setup steps. - Stressed that users should not manually create the configuration file; setup generates required tokens securely. - Enhanced formatting for step-by-step setup and verification. - No code changes—documentation only.

v0.0.9

Security documentation has been expanded and clarified: - Added a detailed explanation of how the skill token works, emphasizing that it is safe and designed to be sent to third-party skill providers. - Clarified the exact capabilities and limitations of the skill token, including what third parties can and cannot do with it. - Expanded and restructured the Security section, including new subsections for skill token safety, transport protections, and other controls. - Emphasized that the full API token is never sent to third-party servers and that spending limits are always enforced server-side.

v0.0.8

Version 0.0.8 - Enhanced security: `run.js` now validates skill URLs, enforcing HTTPS-only and blocking IP addresses, localhost, and metadata endpoints. - Updated documentation to clarify URL validation, and that skill URLs must use a domain name. - Improved description of skill token isolation and its intended usage. - No code changes detected beyond documentation updates.

v0.0.7

- Updated setup and usage instructions to use `{baseDir}` instead of hardcoded paths in command examples. - No functional or API changes; documentation improvement only.

v0.0.6

Pearl 0.0.6 – Repositioned as "Stripe for AI agents" with updated description and read triggers. - Updated skill description to highlight Pearl as a universal payment layer for AI agents using paid skills or SaaS. - Expanded “read_when” triggers to include queries about paid skill usage and how agent payments work. - Clarified security, setup, and usage documentation in SKILL.md for better user understanding. - No code changes; documentation update only.

v0.0.5

cleanup

v0.0.4

Updated documentation

v0.0.3

Improved prompts

v0.0.2

Improved prompts and made code more clear and transparent

v0.0.1

Hello world

元数据

Slug pearl

版本 0.0.14

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 14

常见问题

Pearl 是什么？

Stripe for AI agents — one wallet for all paid skills. If you installed a skill that requires Pearl (check its SKILL.md), you MUST set up Pearl first: run no... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 214 次。

如何安装 Pearl？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install pearl」即可一键安装，无需额外配置。

Pearl 是免费的吗？

是的，Pearl 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Pearl 支持哪些平台？

Pearl 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Pearl？

由 Simeon（@misteeka）开发并维护，当前版本 v0.0.14。

Pearl 是什么？

如何安装 Pearl？

Pearl 是免费的吗？

Pearl 支持哪些平台？

谁开发了 Pearl？

💬 留言讨论