← 返回 Skills 市场
xClaw02
作者
primer-dev
· GitHub ↗
· v0.1.0
1511
总下载
1
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install xclaw02
功能描述
Make x402 payments. Pay for APIs, sell your services, handle 402 Payment Required responses with USDC on Base and other EVM chains.
安全使用建议
This skill appears to be a real payment tool, but proceed carefully: do not paste or send your main private keys into chat or to an unverified package. Before installing or using it, verify the package source and repository (check the GitHub repo and publisher identity), inspect the package code (npm/PyPI) or request a signed release, and prefer using an ephemeral or funded-limited wallet for testing rather than your main funds. If you must provide a private key, consider using a signing service or hardware wallet rather than storing plain keys in env vars or ~/.openclaw. Confirm where the tool stores keys/config and lock file permissions. Finally, use the CLI's --dry-run and wallet balance checks first, and request the skill author/publisher details if provenance remains unclear.
功能分析
Type: OpenClaw Skill
Name: xclaw02
Version: 0.1.0
The OpenClaw AgentSkills skill bundle for 'xclaw02' is classified as benign. The skill's purpose is to facilitate x402 stablecoin payments, which inherently involves handling sensitive information like private keys and performing network transactions. However, the `SKILL.md` documentation provides clear instructions for the AI agent that are directly aligned with this stated purpose, including explicit security advice such as never exposing private keys, using environment variables for credentials, and always confirming payment amounts with the user. There is no evidence of prompt injection attempting to subvert the agent's behavior, no instructions for unauthorized data exfiltration beyond the payment protocol, and no signs of malicious execution, persistence, or obfuscation.
能力标签
能力评估
Purpose & Capability
The SKILL.md describes a legitimate purpose (making/receiving x402 payments, wallet management, probing 402 responses) and the required runtime binaries (node/npx/python3/pip) fit that purpose. However, the registry metadata declares no required environment variables or primary credential while the runtime docs explicitly reference a sensitive environment variable (XCLAW02_PRIVATE_KEY) and XCLAW02_NETWORK — this mismatch is unexplained.
Instruction Scope
The instructions tell the agent/user to create wallets, store config under ~/.openclaw/skills/xclaw02/, and to use XCLAW02_PRIVATE_KEY for signing payments. That means private keys or signing artifacts may be written to disk and read from env vars. The SKILL.md also instructs installing packages (pip install / npx) and running CLI commands that will fetch and execute remote code. Storing/handling private keys and automatically invoking installers are sensitive behaviors and should be carefully audited.
Install Mechanism
There is no install spec in the skill bundle itself (instruction-only), which is lower static risk. But the documentation expects the user/agent to run `pip install xclaw02` or `npx xclaw02`, which will pull code from package registries (npm/pypi). Because the skill package source is listed as 'unknown' and the registry header earlier said 'Homepage: none' while _meta.json embeds a homepage/repository, the provenance is ambiguous. Installing packages from registries is expected for this kind of tool but should be done only after verifying the package and repo.
Credentials
Using a private key (XCLAW02_PRIVATE_KEY) is necessary to sign payments, so requesting a private key is proportionate to the payment purpose — but the skill metadata does not declare that env var as required, which is an inconsistency. The skill also instructs saving config and keys to a home directory path, which increases the persistence and blast radius if keys are compromised. No other external credentials are requested, but the omission of the private-key requirement from the declared requirements is notable.
Persistence & Privilege
always:false and model invocation defaults are fine. The skill will persist configuration and potentially private keys under ~/.openclaw/skills/xclaw02/, which is normal for a CLI wallet but is a persistence of sensitive material. The skill does not request system-wide privileges or claim to modify other skills.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install xclaw02 - 安装完成后,直接呼叫该 Skill 的名称或使用
/xclaw02触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial release of xclaw02: Open payment standard for instant USDC payments using 402 Payment Required responses.
- Supports making and receiving x402 payments via CLI and code (Node.js, Python).
- Enables paying for APIs/services, handling 402 errors, creating wallets, and checking balances on Base and other EVM chains.
- Includes quick setup instructions, CLI/API usage examples, and server middleware for selling paid APIs.
- Lists supported networks, facilitators, environment variables, and common error handling.
- Emphasizes agent safety: private key security and user confirmation for payments.
元数据
常见问题
xClaw02 是什么?
Make x402 payments. Pay for APIs, sell your services, handle 402 Payment Required responses with USDC on Base and other EVM chains. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1511 次。
如何安装 xClaw02?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install xclaw02」即可一键安装,无需额外配置。
xClaw02 是免费的吗?
是的,xClaw02 完全免费(开源免费),可自由下载、安装和使用。
xClaw02 支持哪些平台?
xClaw02 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 xClaw02?
由 primer-dev(@primer-dev)开发并维护,当前版本 v0.1.0。
推荐 Skills