ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Setup Reliable Services

v1.0.2

Set up OpenSpend CLI and optional Coinbase payments-mcp for payment-enabled workflows. Use when openspend is missing, command not found, whoami fails, or use...

1· 359·0 current·0 all-time
byAlbert Putra Purnama@albertpurnama

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for albertpurnama/setup-services.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Setup Reliable Services" (albertpurnama/setup-services) from ClawHub.
Skill page: https://clawhub.ai/albertpurnama/setup-services
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install albertpurnama/setup-services

ClawHub CLI

Package manager switcher

npx clawhub@latest install setup-services
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (install OpenSpend CLI + optional Coinbase payments MCP) aligns with the actions described: installing a CLI, authenticating, and configuring an MCP entry. However, the skill does not declare that it will read/write user config (~/.codex/mcp.json) or run package managers (brew, npx/curl) which are directly relevant to that purpose and should have been declared.
!
Instruction Scope
SKILL.md instructs the agent to run system commands, install software, authenticate via CLI and wallet UI, and directly add an MCP server entry to a user config file (~/.codex/mcp.json). It references a number of agent/SDK actions (check_session_status, show_wallet_app, get_wallet_address, bazaar_list, x402_* etc.) without clarifying who/what exposes these. The skill implicitly directs reading and modifying a user config path and running external installers; these side-effects are not surfaced in the skill metadata and grant the agent broad discretion.
!
Install Mechanism
There is no formal install spec; installation is instruction-only. The instructions recommend brew install from a third‑party tap (promptingcompany/tap) and a curl | sh installer from https://openspend.ai/install. Both are plausible for a CLI but have higher risk: the brew tap is not a well-known canonical tap and piping a remote script to sh is intrinsically risky unless the user verifies the source and integrity. The payments component uses npx -y to fetch @coinbase/payments-mcp on demand, which will download and run code from npm.
Credentials
The skill declares no required environment variables or credentials, which is consistent with using an interactive wallet-based authentication flow. However, it instructs editing and using a config file (~/.codex/mcp.json) and running authentication commands that will create or modify stored credentials/token state; those config accesses are material and should have been declared in metadata.
!
Persistence & Privilege
always is false (good). However, the skill directs persistent changes to user configuration (~/.codex/mcp.json) and to install CLIs which will remain on disk and change PATH behavior. Those persistent side effects modify user/system state beyond a transient action and are not declared in the registry metadata.
What to consider before installing
This skill will install software, modify your MCP config (~/.codex/mcp.json), and run remote installers (brew tap, curl | sh, npx). Before using it: (1) get explicit user consent before any install; (2) prefer vetted package sources (official brew taps, signed releases); (3) avoid piping unknown curl output to sh unless you inspect the script; (4) back up ~/.codex/mcp.json before the skill edits it; (5) be aware npx -y will download and execute npm code — verify the package and version first; (6) verify openspend.ai and the brew tap are legitimate project sources; and (7) ensure you are comfortable completing wallet-based sign-in flows (the skill expects you to authorize payments via a wallet UI). If you need higher assurance, ask the skill author for an install manifest (signed release URLs, package versions) and an explicit list of files/configs the skill will change.

Like a lobster shell, security has layers — review code before you run it.

latestvk976wjsffdh7kqavvtkqm2d7qh82afpq
359downloads
1stars
3versions
Updated 14h ago
v1.0.2
MIT-0
Albert Putra Purnama@albertpurnama
latest
Download

Setup Services

Install and configure OpenSpend CLI, then optionally configure Coinbase Payments MCP for paid workflows.

Trigger conditions and approval

Use this skill when any of the following is true:

  1. command -v openspend fails
  2. openspend whoami fails due to auth/session state
  3. User explicitly asks to install, update, or authenticate OpenSpend CLI

Before install, update, or authentication steps, get explicit user approval.

OpenSpend CLI preflight checks

command -v openspend || echo "openspend not installed"
openspend version
openspend whoami

OpenSpend CLI setup

  1. Install OpenSpend CLI.

Preferred method (homebrew):

brew install promptingcompany/tap/openspend

Alternative method (curl installer) only with explicit user approval:

curl -fsSL https://openspend.ai/install | sh
  1. Update existing install when openspend is already available.
openspend update
  1. Authenticate and verify CLI session.
openspend auth login -y
openspend whoami

Payments MCP setup

  1. Confirm Node.js and npx are available.
node -v
npx -v
  1. Add MCP server config in your MCP client configuration (for example ~/.codex/mcp.json).
{
  "mcpServers": {
    "payments": {
      "command": "npx",
      "args": ["-y", "@coinbase/payments-mcp"]
    }
  }
}
  1. Restart MCP client/session so the server is loaded.

Payments authentication and verification

  1. Call check_session_status first.
  2. If not signed in, call show_wallet_app immediately and complete sign-in.
  3. Confirm wallet access with get_wallet_address and get_wallet_balance.

Payment workflow guidance

  1. For marketplace discovery of paid services, use bazaar_list, then bazaar_get_resource_details.
  2. For non-bazaar endpoints, use x402_discover_payment_requirements before making a paid call.
  3. Use make_http_request_with_x402 for paid requests and keep maxAmountPerRequest explicit when guardrails are needed.
  4. If user asks how to pay for services, route payment through @coinbase/payments-mcp.

Troubleshooting

  • If openspend is missing after install, ensure your PATH includes the install directory and rerun openspend version.
  • If npx @coinbase/payments-mcp fails, verify Node.js installation and rerun with npx -y @coinbase/payments-mcp.
  • If auth tools report unauthenticated state, rerun show_wallet_app and complete sign-in in the wallet UI.
  • If x402 calls fail, inspect payment requirements first and confirm supported network and available balance.

Comments

Loading comments...