← Back to Skills Marketplace
mavagio

MoonPay Commerce (Helio) Accept Crypto Payments

by mavagio · GitHub ↗ · v0.3.0
cross-platform ✓ Security Clean
1763
Downloads
1
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install mpc-accept-crypto-payments
Description
Accept crypto payments on Solana via MoonPay Commerce (formerly Helio). Create Pay Links, generate checkout URLs, check transactions, and list supported currencies. Use when the user wants to accept crypto payments, create payment links, charge for products/services with crypto, or query payment transactions. Requires a MoonPay Commerce account with API key and secret.
Usage Guidance
This skill appears to do what it says: it calls the official Helio (MoonPay Commerce) API and stores your API key/secret locally in ~/.mpc/helio/config (saved with mode 600 by the setup script). Before installing or running: (1) review the two scripts yourself to confirm comfort with saving credentials to your home directory; (2) do not paste API secrets into chat — use the interactive setup script which prompts locally; (3) verify network access is only to api.hel.io/app.hel.io (the scripts call those endpoints); (4) if you prefer not to persist credentials, you can export HELIO_API_KEY/HELIO_API_SECRET in your session and avoid running the setup save step. Overall the files are coherent and proportionate to the stated purpose.
Capability Analysis
Type: OpenClaw Skill Name: mpc-accept-crypto-payments Version: 0.3.0 The skill bundle demonstrates robust security practices, particularly in credential handling and input sanitization. The `setup.sh` script interactively prompts for API keys/secrets, stores them in `~/.mpc/helio/config` with `600` permissions, and the `load_config` function in both `helio.sh` and `setup.sh` safely parses only whitelisted `KEY="value"` lines, preventing arbitrary code execution from the config file. Crucially, `helio.sh` includes a `validate_input` function that rejects shell metacharacters and path traversal sequences for all user-supplied arguments, mitigating shell injection vulnerabilities. All API interactions are with `https://api.hel.io/v1`, and JSON payloads are safely constructed using `jq -n --arg`. There is no evidence of data exfiltration, persistence mechanisms, or prompt injection attempts against the agent.
Capability Assessment
Purpose & Capability
Name/description, declared env vars (HELIO_API_KEY, HELIO_API_SECRET), required binaries (curl, jq), referenced endpoints (api.hel.io, app.hel.io), and included helper scripts all align with a MoonPay Commerce / Helio merchant helper for creating pay links, charges, and querying transactions.
Instruction Scope
SKILL.md instructs the agent to run the provided setup and helper scripts and to call the documented Helio API endpoints. The scripts only read/write a local config (~/.mpc/helio/config), read the declared env vars, and call api.hel.io; they do not attempt to read unrelated system files or send data to unexpected external endpoints.
Install Mechanism
No install spec is present (instruction-only), so nothing arbitrary is downloaded or executed during install. The included scripts live in the skill bundle and are plain shell scripts — no network-based install or third-party archive extraction was requested.
Credentials
Only the two credentials required by the Helio API are requested (API key and secret). The number and type of env vars are proportional to the skill's functionality and are referenced consistently by the scripts and SKILL.md.
Persistence & Privilege
The setup script persistently saves credentials to ~/.mpc/helio/config with chmod 600 and performs ownership/permission checks; this is expected for a merchant CLI. The skill is not forced always-on and does not modify other skills or system-wide settings.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install mpc-accept-crypto-payments
  3. After installation, invoke the skill by name or use /mpc-accept-crypto-payments
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.3.0
# Changelog ## v0.3.0 ### Security - **Input sanitization for all user-supplied arguments in `helio.sh`** - Added `validate_input` function that rejects values containing shell metacharacters, URL-unsafe characters, and path traversal sequences (`..`) - Allowlist: `a-zA-Z0-9._@:/-` — covers Helio IDs, currency symbols, wallet addresses, and decimal amounts - Validated arguments: `symbol` (currency-id, create-paylink), `amount` (create-paylink), `paylink_id` (charge, transactions, disable, enable) - Mitigates URL path traversal and terminal output injection when arguments are interpolated into curl URLs and echo statements - Addresses code scanner findings from v0.2.0 review
v0.2.0
v0.2.0 Security - Replaced source "$CONFIG_FILE" with safe load_config() parser in scripts/helio.sh and scripts/setup.sh - Validates file ownership (must be current user) - Rejects world-readable/writable permissions (requires 600) - Only parses whitelisted keys (HELIO_API_KEY, HELIO_API_SECRET, HELIO_WALLET_ID, HELIO_WALLET_PUBKEY) via case statement - Uses BSD/GNU stat fallback for portability Bug Fixes - Fixed awk exponentiation in scripts/helio.sh create-paylink command - Replaced ^ operator (non-portable) with multiplication loop - Switched from shell-interpolated variables to awk -v flag (prevents injection) - Single-quoted awk program string prevents shell expansion Metadata - Added metadata.openclaw block to SKILL.md frontmatter - Declared binary dependencies: jq, curl - Declared required env vars: HELIO_API_KEY, HELIO_API_SECRET - Declared credential storage path, setup command, and file permissions
v0.0.1
Initial alpha release
Metadata
Slug mpc-accept-crypto-payments
Version 0.3.0
License
All-time Installs 0
Active Installs 0
Total Versions 3
Frequently Asked Questions

What is MoonPay Commerce (Helio) Accept Crypto Payments?

Accept crypto payments on Solana via MoonPay Commerce (formerly Helio). Create Pay Links, generate checkout URLs, check transactions, and list supported currencies. Use when the user wants to accept crypto payments, create payment links, charge for products/services with crypto, or query payment transactions. Requires a MoonPay Commerce account with API key and secret. It is an AI Agent Skill for Claude Code / OpenClaw, with 1763 downloads so far.

How do I install MoonPay Commerce (Helio) Accept Crypto Payments?

Run "/install mpc-accept-crypto-payments" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is MoonPay Commerce (Helio) Accept Crypto Payments free?

Yes, MoonPay Commerce (Helio) Accept Crypto Payments is completely free (open-source). You can download, install and use it at no cost.

Which platforms does MoonPay Commerce (Helio) Accept Crypto Payments support?

MoonPay Commerce (Helio) Accept Crypto Payments is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created MoonPay Commerce (Helio) Accept Crypto Payments?

It is built and maintained by mavagio (@mavagio); the current version is v0.3.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463368 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259467 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200457 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191163 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190189 · by oswalpalash

💬 Comments