← 返回 Skills 市场
2839
总下载
0
收藏
2
当前安装
1
版本数
在 OpenClaw 中安装
/install tron-x402-payment
功能描述
Pay for x402-enabled Agent endpoints using TRC20 tokens (USDT/USDD) on TRON
安全使用建议
This skill implements on-chain TRC20 payments and therefore needs a TRON private key (and optionally a TronGrid API key for mainnet). Before installing or running: 1) Expect the tool to search environment variables and local files (~/.mcporter/mcporter.json, x402-config.json/.x402-config.json) for keys — if you keep other secrets in those files, the tool will read them. 2) Prefer supplying a dedicated ephemeral/testnet private key via TRON_PRIVATE_KEY (or use the --check mode) rather than storing your mainnet keys in shared configs. 3) Review the included dist/src code locally (it’s provided) and verify no unexpected network endpoints are contacted beyond the agent URL and TronGrid. 4) Be cautious about autonomous invocation: if the agent can call this skill without your confirmation, a compromised agent could attempt payments. 5) If unsure, test on nile/shasta with minimal funds and do not install on systems that store unrelated secrets in the checked config paths.
功能分析
Type: OpenClaw Skill
Name: tron-x402-payment
Version: 1.0.0
This skill is classified as suspicious due to its handling of sensitive financial credentials and the execution of high-risk blockchain transactions. The `src/x402_tron_invoke.ts` script accesses the `TRON_PRIVATE_KEY` from environment variables and local configuration files (`~/.mcporter/mcporter.json`, `x402-config.json`), which is a sensitive operation. Furthermore, the skill is designed to perform TRC20 token payments, including an 'infinite approval' if the allowance is insufficient, which grants ongoing spending permission for the specified token. While the `SKILL.md` documentation and the TypeScript code include explicit security rules and sanitization to prevent private key leakage, the inherent risks associated with managing private keys and performing irreversible financial transactions warrant a 'suspicious' classification.
能力评估
Purpose & Capability
The name/description (x402 TRC20 payments) aligns with the implemented functionality: the tool uses tronweb and an x402 client to sign payments and invoke agent endpoints. However, the registry metadata lists no required env vars while the SKILL.md and code clearly expect TRON_PRIVATE_KEY (and optionally TRON_GRID_API_KEY). That mismatch between declared requirements and actual code is a material inconsistency.
Instruction Scope
SKILL.md and the code instruct the tool to locate a private key and API key by checking: environment variables, current/home x402-config.json (and .x402-config.json in source), and ~/.mcporter/mcporter.json (iterating mcpServers entries). Reading these local config files is outside a minimal 'invoke agent' action and increases the credential surface — the tool will silently inspect local files for secrets. The tool also redirects console.log to console.error (so library debug output, possibly including signing details, will be emitted to stderr). Network calls are to the provided agent URL and TronGrid (expected for payments).
Install Mechanism
There is no remote download/install step; the package includes source and a compiled dist bundle. Dependencies are standard/npm packages (tronweb, @open-aibank/x402-tron). No evidence of arbitrary URL downloads or extract/install of remote archives.
Credentials
Requesting a TRON private key and a TronGrid API key is proportionate for a payment tool. But the code's behavior — searching multiple local files (including ~/.mcporter/mcporter.json and scanning mcpServers objects) — broadens where secrets may be read from. Also the published registry metadata not listing required env vars is inconsistent and may mislead users about what credentials will be accessed.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It permits autonomous invocation by default (platform default). That combination is expected for a payment/invoke tool, but because it can access private keys, autonomous invocation increases potential blast radius — consider this when enabling for agents that can act without user confirmation.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install tron-x402-payment - 安装完成后,直接呼叫该 Skill 的名称或使用
/tron-x402-payment触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
tron-x402-payment 1.1.0 introduces new documentation and usability features.
- Updated SKILL.md with detailed usage instructions, quick start guide, security recommendations, examples, cost tables, troubleshooting guides, and token/network references.
- Added comprehensive explanation for wallet setup, environment variable handling, and agent endpoint invocation modes.
- Included do's and don'ts for secure handling of private keys and sensitive data.
- Provided guidance for handling 402 responses and payment workflow.
- Added command usage examples for multiple scenarios (v2 APIs, discovery, legacy endpoints, and status checking).
元数据
常见问题
tron-x402-payment 是什么?
Pay for x402-enabled Agent endpoints using TRC20 tokens (USDT/USDD) on TRON. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2839 次。
如何安装 tron-x402-payment?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install tron-x402-payment」即可一键安装,无需额外配置。
tron-x402-payment 是免费的吗?
是的,tron-x402-payment 完全免费(开源免费),可自由下载、安装和使用。
tron-x402-payment 支持哪些平台?
tron-x402-payment 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 tron-x402-payment?
由 AiBank(@wzc1206)开发并维护,当前版本 v1.0.0。
推荐 Skills