← 返回 Skills 市场
385
总下载
0
收藏
7
当前安装
1
版本数
在 OpenClaw 中安装
/install x402
功能描述
Pay for resources via the x402 HTTP payment protocol using gasless USDC transfers on Base without accounts or KYC, enabling cryptographic identity-based access.
安全使用建议
This skill implements the x402 payment flow and will need access to a wallet private key (PRIVATE_KEY) or a wallet file (WALLET_PATH) to sign EIP-3009 authorizations. The registry metadata failing to declare those sensitive env vars is an incoherence you should treat as a red flag. Before using: (1) do not paste your private key into untrusted UIs — prefer hardware wallets or short-lived keys; (2) inspect the x402.mjs code yourself or run it in an isolated environment; (3) if you must provide a key, consider creating a dedicated wallet with minimal funds and strict spending limits; (4) verify the USDC contract addresses and provider endpoints (conway.tech) against official sources; (5) be cautious that giving an agent a private key enables it to sign arbitrary authorizations — only proceed if you fully trust the code and the environment.
功能分析
Type: OpenClaw Skill
Name: x402
Version: 1.0.0
The skill implements the x402 protocol for automated USDC payments on the Base network, which involves high-risk operations such as handling private keys and signing EIP-3009 transactions. While the behavior is aligned with its stated purpose, the implementation in `x402.mjs` automatically signs payment authorizations based on parameters (amount, recipient) provided by the remote server in a 402 response. This creates a vulnerability where a malicious server could potentially trick an agent into signing unauthorized or excessive payments. No evidence of intentional credential theft or hardcoded malicious destinations was found.
能力评估
Purpose & Capability
The code and SKILL.md clearly implement x402 gasless USDC payments on Base (signing EIP-3009 authorizations and resubmitting requests). That capability matches the name/description. However, the package metadata declares no required environment variables or credentials while the code and documentation require a wallet private key (or a wallet file). The absence of declared credential requirements in the registry metadata is an incoherence.
Instruction Scope
Runtime instructions and examples tell the agent / user to load a private key from process.env.PRIVATE_KEY or a WALLET_PATH file, sign authorizations, and POST X-Payment headers. The instructions do not ask for unrelated system data. Small issues: the README references conway-domain.mjs (domain registration) but that file is not included in the bundle, and examples assume Node globals (fetch, atob/btoa, crypto) that depend on runtime. Otherwise the steps stay within the payment scope.
Install Mechanism
There is no install spec (instruction-only install), and package.json lists 'viem' as a dependency. Nothing in the skill downloads arbitrary code from unknown URLs or writes unexpected binaries. The absence of an install block means nothing is automatically written to disk by the registry installer, but a consumer would need to install dependencies manually to run the examples.
Credentials
The skill requires sensitive wallet access (PRIVATE_KEY or WALLET_PATH) to sign payments, but the registry metadata did not declare these required env vars. Reading a WALLET_PATH allows arbitrary-file access (the example uses readFileSync on a path you supply), which could expose other secrets if misused. The number of credentials is not large, but the omission in metadata and use of raw private keys are important security considerations.
Persistence & Privilege
The skill is not always-enabled and does not request persistent platform privileges. It does allow normal autonomous invocation (the default), so if the agent is given a private key the skill could be invoked to sign payments; that risk is inherent to any payment-capable skill and should be managed by the user.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install x402 - 安装完成后,直接呼叫该 Skill 的名称或使用
/x402触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: x402 HTTP payment protocol for agents. Pay for compute with USDC on Base.
元数据
常见问题
x402 Payment Protocol 是什么?
Pay for resources via the x402 HTTP payment protocol using gasless USDC transfers on Base without accounts or KYC, enabling cryptographic identity-based access. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 385 次。
如何安装 x402 Payment Protocol?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install x402」即可一键安装,无需额外配置。
x402 Payment Protocol 是免费的吗?
是的,x402 Payment Protocol 完全免费(开源免费),可自由下载、安装和使用。
x402 Payment Protocol 支持哪些平台?
x402 Payment Protocol 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 x402 Payment Protocol?
由 Lumen(@lumenfromthefuture)开发并维护,当前版本 v1.0.0。
推荐 Skills