solclaw

Non-custodial USDC payments on Solana by agent name. Use this skill when the user wants to: send USDC to another agent by name, check their USDC balance, register as a payable agent, set up recurring subscriptions, manage allowances, create invoices, or interact with agent-native payments on Solana devnet. Triggers: "send USDC", "pay agent", "USDC balance", "register wallet", "solclaw", "batch payment", "subscription", "invoice".

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 0 · 1k · 0 current installs · 0 all-time installs

by@Sterdam

MIT-0

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

✓

Purpose & Capability

The name, description, and commands are coherent: a CLI-based, non-custodial Solana USDC payments tool would need to manage keypairs, register on-chain, query balances, and send transactions. Program IDs and USDC mint are provided and the network is explicitly Devnet, which matches the stated purpose.

Instruction Scope

The SKILL.md instructs the agent to import/export private keys, store keys at ~/.config/solclaw/keypair.json, run commands that sign transactions locally, and suggests automation (heartbeat, cron). It also references external API endpoints (solclaw.xyz). Automatically executing subscription/pay commands or running export commands (which can output raw private keys) increases the risk of accidental or automated fund transfers and key leakage. The instructions grant broad discretion (run cron, run heartbeats) that could cause side effects if misused.

ℹ

Install Mechanism

There is no install spec (instruction-only), which is lower risk, but the docs instruct use of npx solclaw-cli and assume a 'solclaw' binary — npx implicitly downloads and runs code from npm each time. The skill does not declare or vet that package or provide checksums/known-good sources. That implicit remote code execution via npx and the use of curl against solclaw.xyz are installation/runtime actions you should verify before running.

ℹ

Credentials

The skill requests no environment variables or credentials, which is proportionate. However the runtime guidance deals directly with highly sensitive secrets (private keys, base58 keys, keypair files) and instructs exporting/importing them. That handling is expected for a wallet tool but it's sensitive: exporting keys, storing them on disk, or piping command outputs to scripts increases exposure and should be treated carefully (prefer hardware wallets or read-only automation).

ℹ

Persistence & Privilege

always:false and no persistent install are appropriate. However the included heartbeat.md and examples recommend cron jobs and long‑running automation that would periodically query state and (implicitly) could execute payments or subscriptions. Persisting an automated process that can trigger transactions increases blast radius — the skill itself doesn't request the privilege, but it explicitly encourages setting it up.

What to consider before installing

This skill appears to do what it says, but it relies on running a third‑party CLI (npx solclaw-cli / solclaw) and on an external API (solclaw.xyz). Before installing or automating anything: 1) Verify the provenance of the solclaw-cli package (inspect the npm package source and author, check GitHub repo and releases) rather than running npx blindly. 2) Do not export or paste private keys into scripts; prefer hardware wallet or keep keys offline. 3) Avoid automated cron jobs that execute payments or 'execute subscription' commands unless you fully trust and have audited the CLI and configuration; limit automation to read-only checks. 4) Test thoroughly on Devnet only and review the CLI code (or request signed release artifacts) before using on Mainnet. If you want, I can list specific checks to perform on the npm package or help craft safer automation patterns (read-only heartbeats, alerts instead of automatic execution).

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0

Download zip

latestvk97f5910n9hbpz7wkze6tvzryd80pyme

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

SolClaw — Non-Custodial USDC Payments by Name

What This Does

SolClaw lets AI agents send and receive USDC on Solana using human-readable names instead of wallet addresses. Your keys stay on your machine — the CLI signs transactions locally.

Key Features:

Non-custodial: Your private key never leaves your machine
Name-based: Send to "Alice" instead of base58 addresses
On-chain: Everything stored on Solana, no trusted intermediary
Full-featured: Batch, split, subscriptions, allowances, invoices, spending caps

Quick Start (5 commands)

# 1. Initialize your agent
npx solclaw-cli init --name "MyAgent"

# 2. Get SOL for gas
npx solclaw-cli faucet

# 3. Register on-chain (creates your vault)
npx solclaw-cli register

# 4. Get USDC from Circle faucet -> paste your vault address
#    https://faucet.circle.com (Solana Devnet)

# 5. Send USDC!
npx solclaw-cli send --to "SolClaw" --amount 1 --memo "Hello!"

Already Have a Wallet?

# Import from Solana CLI keypair file
solclaw init --name "MyAgent" --keypair ~/.config/solana/id.json

# Import from base58 private key
solclaw init --name "MyAgent" --private-key "your_base58_private_key..."

# Export your keypair (for backup or migration)
solclaw export                    # base58 format
solclaw export --format json      # Solana CLI format
solclaw export --quiet            # key only, no warnings

CLI Command Reference

Setup Commands

Command	Description
`init --name <n>`	Generate keypair, create config
`register`	Register on-chain, create vault
`faucet`	Request SOL airdrop
`whoami`	Show identity, balances, config

Payment Commands

Command	Description
`send --to <n> --amount <n>`	Send USDC by name
`deposit --amount <n>`	Move USDC from wallet to vault
`withdraw --amount <n>`	Move USDC from vault to wallet
`balance [--name <n>]`	Check USDC balance
`batch --payments <json>`	Pay multiple agents
`split --amount <n> --recipients <json>`	Split proportionally
`refund --to <n> --amount <n> --reason <text>`	Issue refund

Subscriptions

# Create recurring payment
solclaw subscribe create --to "Service" --amount 10 --interval 86400

# Execute due subscription (anyone can crank)
solclaw subscribe execute --sender "Me" --receiver "Service"

# Cancel subscription
solclaw subscribe cancel --receiver "Service"

# List subscriptions
solclaw subscribe list

Allowances (ERC-20 style)

# Approve another agent to pull USDC
solclaw allowance approve --spender "Worker" --amount 100

# Pull from an allowance (spender calls this)
solclaw allowance pull --owner "Boss" --amount 50 --memo "Weekly pay"

# Increase allowance
solclaw allowance increase --spender "Worker" --amount 50

# Revoke allowance
solclaw allowance revoke --spender "Worker"

# Check allowance
solclaw allowance check --owner "Boss" --spender "Worker"

Invoices (Payment Requests)

# Create invoice (request payment)
solclaw invoice create --payer "Client" --amount 100 --memo "Project work"

# Pay an invoice
solclaw invoice pay --id 1

# Reject an invoice
solclaw invoice reject --id 1

# Cancel your invoice
solclaw invoice cancel --id 1

# List invoices
solclaw invoice list --status pending

Safety & Info

# Set daily spending limit
solclaw spending-cap set --limit 100

# Check spending cap
solclaw spending-cap check

# Check reputation score
solclaw reputation

# Transaction history
solclaw history --limit 20

API Endpoints (Read-Only)

The API is stateless and read-only. Use it to query on-chain data.

Endpoint	Method	Description
`/api/health`	GET	Check API status
`/api/balance/:name`	GET	Get vault balance
`/api/resolve/:name`	GET	Resolve name to addresses
`/api/agents`	GET	List all registered agents
`/api/leaderboard`	GET	Top agents by volume
`/api/reputation/:name`	GET	Get reputation score
`/api/subscriptions`	GET	List subscriptions
`/api/due`	GET	Get due subscriptions

Example API Calls

# Check balance
curl https://solclaw.xyz/api/balance/MyAgent

# Get reputation
curl https://solclaw.xyz/api/reputation/MyAgent

# View leaderboard
curl https://solclaw.xyz/api/leaderboard?sort=reputation

Security Model

Non-Custodial: Private keys stored in ~/.config/solclaw/keypair.json with 600 permissions
Local Signing: All transactions signed on your machine
No Server Keys: API is read-only, never touches private keys
On-Chain Authority: Vault operations require wallet signature
Spending Caps: Optional daily limits to prevent runaway spending

Bring Your Own Wallet

SolClaw supports importing existing Solana wallets:

Solana CLI format: --keypair ~/.config/solana/id.json
Base58 private key: --private-key "your_key..."
Export for backup: solclaw export

Your existing wallet works seamlessly with SolClaw. Import once, use the same keypair across tools.

Planned for Mainnet

Phantom/Backpack wallet adapter
Ledger hardware wallet support
Multi-sig vaults

Technical Details

Item	Value
Program ID	`J4qipHcPyaPkVs8ymCLcpgqSDJeoSn3k1LJLK7Q9DZ5H`
USDC Mint	`4zMMC9srt5Ri5X14GAgXhaHii3GnPAEERYPJgZJDncDU`
Network	Solana Devnet
CLI Config	`~/.config/solclaw/`

Commerce Loop Example

# 1. Agent registers
solclaw init --name "Merchant"
solclaw faucet && solclaw register

# 2. Merchant creates invoice for customer
solclaw invoice create --payer "Customer" --amount 50 --memo "Order #1234"

# 3. Customer pays invoice
solclaw invoice pay --id 1

# 4. Set up recurring service
solclaw subscribe create --to "Merchant" --amount 10 --interval 2592000

# 5. Check merchant reputation
solclaw reputation --name "Merchant"

Get Devnet Tokens

SOL: https://faucet.solana.com or solclaw faucet
USDC: https://faucet.circle.com → Solana Devnet → paste vault address

Comments

Loading comments…