← 返回 Skills 市场
parsonssss

Agent APIs x402 Skill

作者 parsonssss · GitHub ↗ · v1.0.2 · MIT-0
cross-platform ⚠ suspicious
395
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install x402-agent-api-skill
功能描述
AI agent skill for x402 paid APIs with live image-hosting and qrcode-generate, plus planned image/video/vision APIs (colorize, super-resolution, enhance, sma...
安全使用建议
Key points to consider before installing: - SKILL.md requires an EVM private key (EVM_PRIVATE_KEY). That is a sensitive secret capable of signing payments/transactions. Only provide a key if you fully trust the x402 service and the skill author. - The registry metadata does NOT declare these required environment variables or an install step — ask the publisher to correct the metadata and supply a formal install spec. - Prefer using a dedicated, low-value wallet or payment-only key (and rotate it after testing) rather than your primary wallet key. - Review the npm packages named in SKILL.md (@x402/*, viem). If you proceed, install them in a sandbox or CI runner you control and audit their source (npm package pages / GitHub repos) before giving any credentials to the environment. - If you want to reduce risk, disable autonomous invocation for the skill (so it cannot be called without explicit user consent) or only enable the skill in an isolated environment. - If the publisher cannot or will not provide consistent metadata and an install spec, treat the skill as higher risk and avoid exposing high-value credentials to it.
功能分析
Type: OpenClaw Skill Name: x402-agent-api-skill Version: 1.0.2 The skill requires a highly sensitive `EVM_PRIVATE_KEY` environment variable and explicitly instructs the AI agent in `SKILL.md` to 'automatically' follow a payment flow to an external API (`x402api.app`). While the provided example code uses standard cryptographic signing rather than direct key exfiltration, the instruction for the agent to automate financial transactions without explicit user confirmation poses a significant risk of unauthorized fund depletion and exposure of the private key within the agent's execution context.
能力评估
Purpose & Capability
The skill's stated purpose (QR generation and image upload via a paid x402 API) aligns with the runtime examples and endpoints in SKILL.md. Requiring an EVM private key to sign payment payloads is plausible for the described x402 payment flow. However, the registry metadata lists no required environment variables or primary credential while SKILL.md explicitly requires EVM_PRIVATE_KEY and API_BASE_URL — an incoherence between claimed metadata and actual instructions.
Instruction Scope
SKILL.md gives step-by-step code and a run-time flow that instructs the agent to: install npm packages, call protected endpoints, parse 402 response headers, create a payment payload and sign it with an EVM private key, then retry. The instructions do not ask the agent to read unrelated files or credentials, but they do direct the agent to use a sensitive EVM_PRIVATE_KEY from environment variables and to perform automatic payment signing — behavior that increases risk if the key is leaked or the service is untrusted.
Install Mechanism
The skill is instruction-only (no install spec recorded by the registry), but SKILL.md instructs running "npm install @x402/core @x402/evm viem". That mismatch means the platform did not capture an explicit install step while the skill expects third-party npm packages to be installed at runtime. Installing external packages from npm is a non-trivial action (network download and code execution) and should be declared in the registry install spec; the lack of a formal install specification is a configuration/packaging concern.
Credentials
SKILL.md requires EVM_PRIVATE_KEY (sensitive) and API_BASE_URL. These are functionally justifiable for an on-chain-signed payment flow, but the registry metadata lists no required env vars/credentials — a significant omission. Requesting a raw EVM private key is high-risk: a compromised key can be used to sign transactions or payments. The skill should declare this credential explicitly in metadata and recommend using a dedicated low-value/payment-only wallet or other mitigations.
Persistence & Privilege
The skill does not request always:true and retains default autonomous invocation (disable-model-invocation:false). Autonomous invocation combined with access to a private key increases the blast radius (the agent could sign payments whenever the skill is invoked). The skill does not attempt to modify other skills or system config. Consider disabling autonomous invocation or using constrained credentials if you want to reduce risk.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install x402-agent-api-skill
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /x402-agent-api-skill 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
- Updated API endpoint and base URL references from flashcode.live to x402api.app throughout the documentation. - Added a new hidden.json file. - No changes to the set of live or planned features or APIs. - No code or interface changes; only documentation and configuration updates.
v1.0.1
- Added detailed endpoint-specific error code documentation for image upload and QR code generation. - Expanded the skill description to include live and planned API capabilities in more detail. - Removed general 400 error handling section and replaced it with granular error codes per endpoint. - No functional changes to APIs; documentation update only.
v1.0.0
x402-agent-api-skill v1.2.0 introduces a reusable integration for x402-protected paid API endpoints. - Lets AI agents generate QR codes and upload images using x402 payment flow on flashcode.live. - Outlines required setup, including dependencies and environment variables (EVM_PRIVATE_KEY, API_BASE_URL). - Documents currently available endpoints: QR code generation and image hosting (with request and response details). - Lists planned endpoints for future features such as image enhance, object detection, and OCR. - Provides client flow and error handling guidance for robust integration.
元数据
Slug x402-agent-api-skill
版本 1.0.2
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 3
常见问题

Agent APIs x402 Skill 是什么?

AI agent skill for x402 paid APIs with live image-hosting and qrcode-generate, plus planned image/video/vision APIs (colorize, super-resolution, enhance, sma... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 395 次。

如何安装 Agent APIs x402 Skill?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install x402-agent-api-skill」即可一键安装,无需额外配置。

Agent APIs x402 Skill 是免费的吗?

是的,Agent APIs x402 Skill 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Agent APIs x402 Skill 支持哪些平台?

Agent APIs x402 Skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Agent APIs x402 Skill?

由 parsonssss(@parsonssss)开发并维护,当前版本 v1.0.2。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论