ClawHub

soho

v1.0.17

Initiate payments on the SOHO Pay credit layer using EIP-712 signatures.

0· 375·1 current·1 all-time
byAmit Biswas@amitbiswas1992

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for amitbiswas1992/soho.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "soho" (amitbiswas1992/soho) from ClawHub.
Skill page: https://clawhub.ai/amitbiswas1992/soho
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install amitbiswas1992/soho

ClawHub CLI

Package manager switcher

npx clawhub@latest install soho
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, skill.json env declaration, SKILL.md, and all scripts align: the code implements pay/status/repay/register workflows for SOHO Pay on Base mainnet and Sepolia. The only sensitive input requested is PRIVATE_KEY, which is appropriate for a signing agent. Hardcoded contract and token addresses are present and documented.
Instruction Scope
Runtime instructions and code only perform EVM reads/writes and local signing. The scripts read PRIVATE_KEY from the environment, call the configured RPC endpoints, sign locally with ethers, and submit transactions to the Creditor/BorrowerManager contracts. They do not call unexpected external endpoints, do not exfiltrate the raw private key, and do not read unrelated system files or env vars.
Install Mechanism
There is no platform install spec (download/extract/brew) in the registry, but the package contains package.json and instructs npm install in SKILL.md. Dependencies are standard (ethers, dotenv) pulled from the public npm registry — this is expected for a Node.js skill but does mean npm packages will be installed at runtime, so normal supply-chain risk considerations apply.
Credentials
Only PRIVATE_KEY is required and is declared as sensitive in skill.json and SKILL.md. That is proportionate to a signing/payment skill. No unrelated credentials or config paths are requested.
Persistence & Privilege
The skill does not request 'always: true' and skill.json marks 'autonomous': false; however the platform registry metadata shows the default model-invocation flags. If the platform allows autonomous invocation, the skill could sign and submit transactions using the provided PRIVATE_KEY without extra human approval — ensure agent invocation settings match your risk tolerance. The skill itself does not modify other skills or system settings.
Assessment
This skill appears to do what it claims, but it operates on a highly sensitive secret (PRIVATE_KEY). Before installing: 1) Only supply a key you control and are willing to automate (preferably a low-value or test key). 2) Verify the hardcoded contract and token addresses are the intended SOHO Pay contracts for your network. 3) Install and run the skill locally (not in an untrusted cloud) if you want to keep the key off remote systems. 4) Review SKILL.md and the scripts yourself or with a trusted reviewer; npm dependencies come from the public registry so follow your usual supply-chain precautions. 5) Confirm how OpenClaw handles autonomous invocation—if you do not want the agent to act without approval, disable autonomous invocation for this skill or keep it user-invocable only.

Like a lobster shell, security has layers — review code before you run it.

latestvk977pad6x7e83z3nq30g0ksqd582xkt9
375downloads
0stars
4versions
Updated 1mo ago
v1.0.17
MIT-0
Amit Biswas@amitbiswas1992
latest
Download

SOHO Pay - Credit Layer Payments

This skill allows the agent to initiate payments through the SOHO Pay Creditor smart contract using the spendWithAuthorization EIP-712 flow.

The agent signs the payment authorization off-chain using a pre-configured wallet, and then submits the transaction to the network on the user's behalf.

Core Command

The primary way to use this skill is with a natural language command that maps to:

pay <amount> to <merchant_address>

  • <amount>: The numerical amount to pay (e.g., 10, 0.5).
  • <merchant_address>: The recipient EVM address (0x...). Names are not supported and no random addresses are ever generated by this skill.

Workflow

Payments (credit spend)

When you issue a pay command, the skill performs the following actions:

  1. Parse Inputs: Extracts the amount and merchant address from the user's request.
  2. Validate Merchant Address: Confirms that the merchant is a valid EVM address; otherwise it aborts.
  3. Pre-Flight Checks (BorrowerManager):
    • Verifies the borrower is registered and active.
    • Checks if the credit limit is sufficient for the requested amount.
    • On demand, can auto-register the agent once via registerAgent.
  4. Generate Authorization: Creates an EIP-712 typed data message for the payment.
  5. Sign Off-Chain: Uses the configured PRIVATE_KEY wallet (from environment variables) to sign the authorization message.
  6. Execute On-Chain: Calls the spendWithAuthorization function on the Creditor contract, providing the signed message.
  7. Report Result: Returns the transaction hash to the user upon confirmation.

Status / Profile checks

The status helper reads the BorrowerManager profile + USDC wallet balance for the bot:

  • Calls the s_borrowerProfiles(address) public mapping getter to fetch:
    creditLimit, outstandingDebt, totalSpent, totalRepaid, spendingCount, repaymentCount, lastActivityTime, creditScore, isActive, isAgent, transactionIds.
  • Calls IERC20(USDC).balanceOf(bot) to fetch the USDC wallet balance for the same address.
  • Prints a human-readable summary so you can see, per network:
    • Whether the bot is registered / active
    • Credit limit and whether the profile is flagged as an agent
    • Outstanding debt and historical spend/repay totals
    • Last activity timestamp and credit score
    • USDC balance available in the wallet

This is what powers prompts like:

  • "check my bot status on testnet"
  • "check my bot outstanding debt on mainnet"

Repayments (reduce outstanding debt)

The repay helper uses USDC to pay down outstandingDebt tracked by BorrowerManager and Creditor:

  1. Pre-flight checks:
    • Verifies the borrower is registered and active.
    • Reads current credit limit and any existing outstandingDebt`.
  2. USDC balance & allowance:
    • Ensures the bot wallet has enough USDC balance for the requested repayment.
    • Checks IERC20(USDC).allowance(bot, Creditor) and, if too low, sends an approve(Creditor, amount) tx first.
  3. On-chain repay:
    • Calls Creditor.repay(amount, USDC) from the borrower wallet.
    • The Creditor contract:
      • Caps the repayment to min(amount, outstandingDebt).
      • Applies payments to BNPL plans via applyPaymentToPlans.
      • Updates the borrower profile via updateOnRepayment (new score + limit).
      • Transfers USDC from the borrower to the Vault and calls vault.repayVaultDebt.
    • Emits a repayment event with the new score and limit.
  4. Status after repay:
    • After a successful repay, you can run status again to verify:
      • outstandingDebt has decreased (or is 0),
      • totalRepaid increased,
      • creditScore and creditLimit have been updated.

This is what backs prompts like:

  • "repay my bot debt on testnet"
  • "repay 5 USDC of my bot debt on mainnet"

Configuration

  • Environment Variable (runtime): The private key for the signing wallet must be provided via the PRIVATE_KEY environment variable.
  • Why the private key is needed: OpenClaw is designed to run as an autonomous agent. For it to initiate SOHO Pay transactions without human clicks, it must be able to sign EIP-712 authorizations itself.
  • Local-only usage (important): PRIVATE_KEY is used only locally on the machine running OpenClaw. The raw key is never sent to SOHO Pay, ClawHub, or any external service — only signed messages and transactions leave the machine. Anyone running this bot must understand that the key controls whatever funds are on the selected network.
  • Skill Metadata: The skill declares PRIVATE_KEY as a required, sensitive credential. You can use a single key for both Base mainnet and Base Sepolia, but be aware this may control real funds on mainnet.
  • Networks: The script supports both Base mainnet (default) and Base Sepolia (testnet). It enforces the expected chainId for the selected network and aborts if the RPC does not match.

Defaults

The following values are hardcoded into the script for consistency, and are used on both Base mainnet and Base Sepolia:

  • Creditor Contract: 0xdb34d612dd9aa548f6c94af118f82a461a835e09
  • Borrower Manager: 0xc6ecd37c42ee73714956b6a449b41bc1d46b07b0
  • Asset (USDC): 0x43848d5a4efa0b1c72e1fd8ece1abf42e9d5e221 (6 decimals)
  • Payment Plan ID: 0

Setup, Installation & Dependencies

This skill is a small Node.js project under skills/sohopay.

  1. Set PRIVATE_KEY in the environment where OpenClaw runs:

    export PRIVATE_KEY=0xYOUR_KEY_HERE

    This address will be the SOHO Pay "agent" on Base mainnet / Base Sepolia.

  2. Install the skill and dependencies:

    clawhub install sohopay
cd skills/sohopay
npm install

    This installs the runtime dependencies declared in package.json (currently ethers and dotenv).

  3. Register the agent once on the chosen network (before making payments):

    # Base mainnet (default)
node scripts/register.js

# Explicit mainnet
node scripts/register.js mainnet

# Base Sepolia testnet
node scripts/register.js testnet

    This calls registerAgent(agent) on the BorrowerManager contract using the PRIVATE_KEY address.

  4. Make payments after registration using scripts/pay.js:

    # Base mainnet (default when no network arg is given)
node scripts/pay.js 10 0xMerchantOnMainnet

# Explicit mainnet
node scripts/pay.js mainnet 10 0xMerchantOnMainnet

# Base Sepolia testnet
node scripts/pay.js testnet 10 0xMerchantOnTestnet

    This uses the SOHO Pay Creditor contract to spend on credit via spendWithAuthorization.

  5. Check status / profile and balances using scripts/status.js:

    # Base mainnet
node scripts/status.js mainnet

# Base Sepolia testnet
node scripts/status.js testnet

    This reads the BorrowerManager profile and USDC wallet balance for the agent and prints a human-readable summary (credit limit, outstanding debt, totals, scores, and USDC balance).

  6. Repay outstanding debt using USDC with scripts/repay.js:

    # Base mainnet
node scripts/repay.js mainnet 10

# Base Sepolia testnet
node scripts/repay.js testnet 10

    This uses USDC from the agent wallet to repay outstandingDebt via the Creditor contract, updating the borrower profile and vault debt, and emitting a repayment event.

Security Notes

  • PRIVATE_KEY is highly sensitive. Treat it exactly like the key to a normal wallet: anyone with this value can move all funds it controls.
  • Local signing only: The script signs transactions locally and never transmits the raw private key over the network. Only signatures and transactions are sent to RPC endpoints.
  • This skill never triggers itself; it is only executed when called by a user, cron job, or higher-level workflow. It is safe to wire into autonomous flows (e.g. “if price < 10, then pay …”) as long as you understand what those automations will do with your PRIVATE_KEY.
  • The merchant must be provided as an explicit merchant_address. If the address is wrong, funds on that network may be irrecoverably sent to the wrong account.
  • No random address generation is performed. The skill will refuse non-address merchant inputs.

Example Usage

Natural-language commands

These are the kinds of prompts you can send to your OpenClaw agent once the skill is installed and PRIVATE_KEY is configured.

  • Register bot (testnet)
    "register my bot to use sohopay on Base Sepolia testnet"

  • Register bot (mainnet)
    "register my bot to use sohopay on Base mainnet"

  • Pay a merchant (EIP‑712 spendWithAuthorization)
    "pay 10 USDC to 0x1234567890abcdef1234567890abcdef12345678 on testnet using sohopay"

  • Check bot status (credit limit, outstanding debt, totals, USDC balance)
    "check my bot status on testnet"
    "check my bot outstanding debt on mainnet"

  • Repay debt (calls Creditor.repay(amount, stablecoin))
    "repay my bot debt on testnet"
    "repay 5 USDC of my bot debt on mainnet"

Script entrypoints (for reference)

  • Registration: node scripts/register.js [mainnet|testnet] [check]

    • node scripts/register.js testnet – register bot on Base Sepolia
    • node scripts/register.js mainnet check – status only, no tx

  • Payments (credit spend):

    • node scripts/pay.js [mainnet|testnet] <amount> <merchant_address>

  • Status (profile + outstanding debt + USDC balance):

    • node scripts/status.js mainnet
    • node scripts/status.js testnet

  • Repayments (reduce outstanding debt using USDC):

    • node scripts/repay.js [mainnet|testnet] <amount>

When mapped through OpenClaw, you should prefer natural-language prompts; the scripts above are provided for debugging and manual CLI use.

Comments

Loading comments...