ClawHub

PaySpawn — On-Chain Spending Limits for AI Agents

v1.0.3

Add spending controls to any AI agent that makes API payments. Supports x402 auto-pay, daily limits, per-transaction limits, address allowlists, and fleet pr...

0· 422·0 current·0 all-time
by@adambrainai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The SKILL.md describes an on-chain spend-permission workflow and an SDK for enforcing limits on Base/USDC. The declared behaviors (daily cap, per-tx cap, whitelist, fleet provisioning) match the SDK usage examples and the provided contract address, so the requested capabilities are coherent with the stated purpose.
Instruction Scope
Runtime instructions are limited to installing the @payspawn/sdk, creating a credential via the payspawn dashboard, setting the PAYSPAWN_CREDENTIAL env var, and calling SDK methods (pay, fetch, check, pause/unpause). The instructions do not ask the agent to read unrelated files or credentials, nor to exfiltrate data to unexpected endpoints.
Install Mechanism
This is an instruction-only skill that recommends installing @payspawn/sdk from npm (>=5.3.0). Using an npm package is expected for this functionality, but the package and its repository should be audited by the user: npm packages can contain arbitrary code, so verify the package name, author, and source repo before installing or running with real funds.
Credentials
Only one optional environment credential (PAYSPAWN_CREDENTIAL) is referenced in the SKILL.md and it is appropriate for an on-chain spend-permission system. This credential is described as a scoped spend permission (not a private key) and scope/expiry controls are sensible. Note: granting such a credential and approving the on-chain USDC allowance does enable on-chain transfers up to the configured limits, so verifying the contract and using minimal funds is prudent.
Persistence & Privilege
Skill metadata does not force permanent inclusion (always: false) and it does not request system-wide config or other skills' credentials. The skill is instruction-only and does not claim to modify other skills or agent infrastructure.
Assessment
This skill appears internally consistent for enforcing on-chain spending limits, but you should not hand it real funds without verification. Before installing or using it: (1) verify the npm package (@payspawn/sdk) and its maintainer (check the package page, author, and GitHub repo source code and commit history); (2) verify the smart contract address and source on Base (review verified contract code on a block explorer); (3) confirm the payspawn.ai dashboard domain is legitimate (check HTTPS, WHOIS, social proof); (4) test with a fresh wallet and a very small USDC amount and set conservative caps/whitelists; (5) store the PAYSPAWN_CREDENTIAL securely (it grants on-chain spend permissions within limits); (6) be cautious of npm typosquatting or malicious dependencies — audit dependencies before running in production. If you need higher assurance, ask the publisher for links to a verified GitHub repo and contract verification proof before trusting substantial funds.

Like a lobster shell, security has layers — review code before you run it.

agentsvk978kjcgqvff1rctkspyxxf3gd81s4f4defivk978kjcgqvff1rctkspyxxf3gd81s4f4latestvk977cedxf77k4dtcdx1mxmskvn81s81zpaymentsvk978kjcgqvff1rctkspyxxf3gd81s4f4x402vk978kjcgqvff1rctkspyxxf3gd81s4f4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔐 Clawdis

Comments