← 返回 Skills 市场
max-clinch

Soho

作者 SULEMAN ISMAILA · GitHub ↗ · v2.0.0
cross-platform ✓ 安全检测通过
417
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install soho-pay
功能描述
Initiate payments on the SOHO Pay credit layer using EIP-712 signatures.
安全使用建议
This skill appears to implement exactly what it claims (EIP‑712 orchestration and on‑chain settlement) — but check a few things before installing/running: 1) Verify the registry metadata mismatch: skill.json / SKILL.md require RPC_URL, CHAIN_ID, and SIGNER_PROVIDER — make sure you supply and protect those env vars. 2) Only point WALLET_SIGNER_SERVICE_URL at a trusted, user‑controlled MPC/HSM/signing service and keep SIGNER_SERVICE_AUTH_TOKEN secret; audit that service’s /sign-eip712 and /send-tx endpoints. 3) Never use SOHO_DEV_PRIVATE_KEY on mainnet; the code enforces this but double-check CHAIN_ID and DEV_ALLOW_LOCAL_KEY before running. 4) Confirm the platform invocation settings — although the skill is written to be manual-invocation-only, the platform flag you were shown suggests autonomous invocation is permitted; ensure the platform honors manual-only invocation or that you don’t enable autonomous runs. 5) Note the declared SOHO_API_URL is not used by the code — ask the author if that’s intentional. 6) Because package.json exists, running locally requires npm install; review dependencies and the contract addresses in config before sending real funds. If anything above is unclear, ask the skill author for clarifications and an integrity checksum for the package files.
功能分析
Type: OpenClaw Skill Name: soho-pay Version: 2.0.0 The OpenClaw AgentSkills bundle is designed for orchestrating payments on a credit layer and exhibits a strong security-first design. Key security features include explicit manual invocation and user confirmation requirements enforced by both metadata (`SKILL.md`, `skill.json`) and a runtime guard (`scripts/pay.js`). The skill strictly separates key custody, stating it never holds private keys, delegating signing to user-controlled wallet signers (local dev key or remote MPC/HSM). Robust environment variable validation using Zod (`src/config.js`) prevents misconfiguration, and the use of local private keys is strictly gated to testnets by default. Input sanitization for `merchantAddress` prevents address spoofing, and all external network calls are to user-configured URLs with proper authentication. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts against the agent.
能力评估
Purpose & Capability
The skill is a payment orchestrator for the SOHO credit layer and its code requires RPC access, chain selection, and a wallet-signing backend (remote or local). Those requirements are appropriate for the described purpose. However, the registry metadata supplied to you earlier claims no required environment variables, while skill.json and SKILL.md declare multiple required env vars (RPC_URL, CHAIN_ID, SIGNER_PROVIDER, etc.) — that's an upstream metadata mismatch to verify.
Instruction Scope
Runtime instructions (scripts/pay.js and SKILL.md) restrict actions to: config validation, pre-flight credit checks on-chain, requesting EIP‑712 signatures from a user-controlled signer, and submitting spendWithAuthorization to the Creditor contract. The skill does not attempt to read unrelated files or exfiltrate secrets. Note: SOHO_API_URL is declared in config but is not actually used by the code — this is a scope/inconsistency but not an obvious data-exfiltration issue.
Install Mechanism
There is no installer specified (instruction-only from platform perspective), but code files and package.json dependencies exist. Running the skill locally will require installing Node deps (ethers, dotenv, zod). No suspicious remote download or obscure install URL is present.
Credentials
The environment variables declared (RPC_URL, CHAIN_ID, SIGNER_PROVIDER, optional WALLET_SIGNER_SERVICE_URL and SIGNER_SERVICE_AUTH_TOKEN, and a dev private key for local testing) align with the skill's needs. Sensitive values (SIGNER_SERVICE_AUTH_TOKEN, SOHO_DEV_PRIVATE_KEY) are marked sensitive in skill.json. There are no unrelated credentials requested.
Persistence & Privilege
The skill is not marked always:true and skill.json + SKILL.md indicate manual invocation with require_confirmation. The runtime script also refuses to run when SOHO_AUTONOMOUS env is set. However, the platform-level flags you were shown indicate disable-model-invocation: false (the platform default), which could allow the platform to attempt autonomous invocation; the skill defends itself by aborting in that case, but you should confirm that the platform honors the skill's manual-invocation intention and that operators do not override it.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install soho-pay
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /soho-pay 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.0.0
**Major refactor of soho-pay to v2.0.0, with a new modular codebase and enhanced signing architecture.** - Modularized signer logic into separate files for local and remote wallet signer providers. - Added comprehensive configuration handling and input validation. - Improved project structure: added package and skill metadata files; removed legacy docs. - Enforced stricter security boundaries: never exposes or passes signing keys to SoHo; supports only explicit EVM addresses for merchants. - Clarified usage patterns for both local dev and production (MPC/HSM) signing flows.
v1.0.1
SOHO Pay v1.0.1 — Initial Release - Orchestrates secure payments on the SOHO Pay credit layer via EIP-712 signatures and the Creditor smart contract. - Enforces strict three-party separation: Wallet Signer (user-controlled), SoHo (credit checks/JIT funding), Blockchain (settlement). - Supports only explicit merchant EVM addresses—never derives from names. - Confirms manual invocation only; always requires explicit user confirmation before executing payments. - Implements strong mainnet and key custody safeguards by defaulting to remote signing (MPC/HSM) and gating local key usage to testnets. - Provides clear contract addresses and environment variable requirements for deployment on Base Sepolia (testnet) and Base Mainnet (with confirmation).
元数据
Slug soho-pay
版本 2.0.0
许可证
累计安装 0
当前安装数 0
历史版本数 2
常见问题

Soho 是什么?

Initiate payments on the SOHO Pay credit layer using EIP-712 signatures. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 417 次。

如何安装 Soho?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install soho-pay」即可一键安装,无需额外配置。

Soho 是免费的吗?

是的,Soho 完全免费(开源免费),可自由下载、安装和使用。

Soho 支持哪些平台?

Soho 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Soho?

由 SULEMAN ISMAILA(@max-clinch)开发并维护,当前版本 v2.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论