← 返回 Skills 市场
466
总下载
0
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install x402r-dispute
功能描述
Pay merchants and file payment disputes on the x402r refundable payments protocol
安全使用建议
This CLI appears to do what it says, but it uses and persists private keys and will send payment metadata to an arbiter server and (optionally) to Pinata. Before installing or using it: 1) Do not supply your primary/production private key — use a disposable test key for evaluation. 2) Review and set the arbiter URL and pinata JWT only to endpoints you trust (default is localhost). 3) Inspect ~/.x402r/config.json and ~/.x402r/*.json after running and remove any private keys you don't want persisted. 4) Be cautious about running the included e2e test — it explicitly writes a merchant private key into last-payment.json in the test mode. 5) If you need the agent to use this skill autonomously, consider the additional risk of stored credentials and restrict invocation or use ephemeral keys. If you want more certainty, provide the maintainer/source (homepage/repo) and a provenance check so I can re-evaluate with higher confidence.
功能分析
Type: OpenClaw Skill
Name: x402r-dispute
Version: 0.1.3
The skill is classified as suspicious due to significant file system vulnerabilities. Specifically, `src/commands/pay.ts` allows writing arbitrary HTTP response bodies to user-specified paths via the `--output` option, and `src/commands/dispute.ts` allows reading arbitrary files as evidence via the `--file` option. These flaws could enable arbitrary file write/read if an attacker can control the input paths. Additionally, the skill handles private keys, which are stored on disk in `~/.x402r/config.json`, and makes numerous external network calls to arbiter/court URLs (e.g., `https://www.moltarbiter.com/arbiter`) and Pinata, which are high-risk operations, though necessary for its stated web3 payment dispute purpose. There is no evidence of intentional malicious behavior like data exfiltration or persistence.
能力评估
Purpose & Capability
The code and SKILL.md align: the tool signs payments, submits on-chain refund requests, pins evidence to IPFS, and queries an arbiter. There are no obvious unrelated capabilities (no cloud providers, no unexpected admin APIs). However the skill expects a private key/operator config to operate even though the registry metadata lists no required env vars; configuration is handled via 'x402r config' and persisted to ~/.x402r/config.json.
Instruction Scope
SKILL.md limits runtime instructions to paying, disputing, status/show/verify flows implemented in the included CLI. The runtime will read/write config and state in the user's home (~/.x402r/), load a .env if present in the package layout, post payment metadata to the configured arbiter, and optionally call Pinata with a JWT. It does not instruct the agent to read arbitrary unrelated system files, but it does persist and reuse local state (including potentially sensitive fields).
Install Mechanism
This is instruction-only (no external install spec). The package includes source files but there are no downloads or URL-based installers in the skill bundle; runtime uses standard npm/Node dependencies and local filesystem access. No high-risk remote install steps were found.
Credentials
Functionality legitimately requires a private key, operator address, arbiter URL, and optionally a Pinata JWT. Those are sensitive. Although the registry lists no required env vars, the CLI relies on PRIVATE_KEY, OPERATOR_ADDRESS, ARBITER_URL, PINATA_JWT, etc. The tool will persist config (including the private key) to ~/.x402r/config.json and may POST payment metadata to your configured arbiter URL — this is proportional to the purpose but high-risk if you provide production keys or point arbiter/pinata to untrusted endpoints.
Persistence & Privilege
The CLI writes persistent state and configuration to the user's home (~/.x402r/config.json, last-payment.json, last-dispute.json). That includes the private key if you run 'config --key'. The skill is not marked 'always: true'. Allowing autonomous agent invocation (the default) together with persisted private keys increases the blast radius if you permit the agent to call the skill without manual confirmation.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install x402r-dispute - 安装完成后,直接呼叫该 Skill 的名称或使用
/x402r-dispute触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.3
v0.1.3 - Adds direct payment support and streamlines CLI workflow
- New pay command: Make escrow payments directly from the CLI (auto-saves payment info for disputes)
- CLI setup now auto-discovers operator, network, and RPC from the arbiter server
- Unified state-saving: pay/dispute commands save required info for later workflow steps
- SKILL.md and help output rewritten for clarity and improved onboarding
- Several files updated and new pay command source files added
v0.1.2
Add test merchant quick start, network guidance, faucet links
v0.1.1
Add public arbiter URL to docs
v0.1.0
x402r-dispute 0.1.0 – Initial Release
- Introduces a CLI for filing and tracking payment disputes on the x402r refundable payments protocol.
- Features commands for dispute creation, status checks, evidence viewing, listing disputes, and verifying AI arbiter rulings.
- Supports configuration of wallet, operator, network, and arbiter server.
- Saves dispute/payment state locally for streamlined workflows.
- Offers advanced options for structured evidence, custom payment JSON, and IPFS evidence storage.
- Includes detailed troubleshooting for connectivity and usage issues.
元数据
常见问题
Cli 是什么?
Pay merchants and file payment disputes on the x402r refundable payments protocol. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 466 次。
如何安装 Cli?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install x402r-dispute」即可一键安装,无需额外配置。
Cli 是免费的吗?
是的,Cli 完全免费(开源免费),可自由下载、安装和使用。
Cli 支持哪些平台?
Cli 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Cli?
由 vraspar(@vraspar)开发并维护,当前版本 v0.1.3。
推荐 Skills