{"skill":{"slug":"pqsafe-pay-v1","displayName":"Openclaw Pqsafe","summary":"Post-quantum signed SpendEnvelopes for AI agent payments. ML-DSA-65 (NIST FIPS 204) signatures over Airwallex, Wise, Stripe, USDC-Base, and x402 rails.","description":"---\nname: pqsafe-pay-v1\ndescription: Post-quantum signed SpendEnvelopes for AI agent payments. ML-DSA-65 (NIST FIPS 204) signatures over Airwallex, Wise, Stripe, USDC-Base, and x402 rails.\nversion: 0.1.0\nmetadata:\n  openclaw:\n    requires:\n      env:\n        - PQSAFE_API_KEY\n      bins:\n        - node\n    primaryEnv: PQSAFE_API_KEY\n    envVars:\n      - name: PQSAFE_API_KEY\n        required: true\n        description: PQSafe AgentPay API key from dashboard.pqsafe.xyz\n      - name: PQSAFE_KEY_ID\n        required: false\n        description: ML-DSA-65 signing key ID (defaults to account default key)\n      - name: PQSAFE_TEST_MODE\n        required: false\n        description: Set to \"true\" to use in-memory mocks for local development\n    emoji: \"🔐\"\n    homepage: https://pqsafe.xyz/openclaw-skill\n    os: [\"macos\", \"linux\", \"windows\"]\n    install:\n      - kind: npm\n        package: \"@pqsafe/openclaw\"\n---\n\n# PQSafe Post-Quantum Payment Skill (`pqsafe.pay.v1`)\n\nPost-quantum signed SpendEnvelopes for AI agent payments. ML-DSA-65 (NIST FIPS 204) signatures\nover Airwallex, Wise, Stripe, USDC-Base, and x402 rails.\n\n## Quick Start\n\n```bash\nnpm install @pqsafe/openclaw\n```\n\n```typescript\nimport { OpenClawClient } from \"@openclaw/sdk\";\nimport \"@pqsafe/openclaw\"; // registers pqsafe.pay.v1\n\nconst claw = new OpenClawClient();\n\nconst envelope = await claw.invoke(\"pqsafe.pay.v1/create_envelope\", {\n  agentId:   \"agent_my_bot_v1\",\n  payerId:   \"payer_usr_abc123\",\n  maxAmount: \"100.00\",\n  currency:  \"USD\",\n  rail:      \"wise\",\n  expiresAt: \"2026-12-31T23:59:59Z\",\n});\n```\n\nSet `PQSAFE_TEST_MODE=true` for local development — no real keys or network calls required.\n\n## Operations\n\n| Operation | Description |\n|-----------|-------------|\n| `create_envelope` | Issue a new ML-DSA-65 signed SpendEnvelope with spend cap, rail, and expiry |\n| `verify_envelope` | Verify signature integrity, expiry, nonce uniqueness, and key ID validity |\n| `revoke_envelope` | Append envelope ID to the real-time revocation list (append-only, timestamped) |\n\n## Security Model\n\n- **HSM-backed signing keys** — ML-DSA-65 private keys are generated and stored in hardware\n  security modules; they never leave the PQSafe key service\n- **Single-use nonce** — each envelope carries a 256-bit random nonce; replay attacks are\n  rejected at the verify layer\n- **Expiry enforced in signed payload** — `expiresAt` is part of the signed content; an attacker\n  cannot extend expiry without invalidating the signature\n- **Real-time revocation list** — `revoke_envelope` appends to a low-latency revocation list\n  checked on every `verify_envelope` call\n- **Append-only audit log** — all create, verify, and revoke events are timestamped and written\n  to an immutable audit log\n- **JCS-canonical signing** — payload serialized in JSON Canonicalization Scheme form (RFC 8785)\n  before signing, eliminating signature ambiguity from key ordering or whitespace variation\n\n## Supported Rails\n\n| Rail | Status | Currency |\n|------|--------|----------|\n| `airwallex` | **LIVE sandbox** | Multi-currency (real test transfers) |\n| `wise` | **LIVE sandbox** | 40+ fiat currencies (real test transfers) |\n| `stripe` | mock-ready | USD + 135 others |\n| `usdc-base` | mock-ready | USDC |\n| `x402` | mock-ready | USDC + ETH |\n\nLIVE sandbox = validated end-to-end with sandbox rails. Mock-ready = SpendEnvelope creation and\nverification are fully functional; live rail integration is in progress.\n\n## ML-DSA-65 Parameters\n\n| Parameter | Value |\n|-----------|-------|\n| Standard | NIST FIPS 204 |\n| Security level | NIST Level 3 |\n| Public key size | 1,952 bytes |\n| Secret key size | 4,032 bytes |\n| Signature size | 3,309 bytes |\n| Hardness assumption | Module-LWE + Module-SIS |\n\n## Links\n\n- Homepage: https://pqsafe.xyz/openclaw-skill\n- npm package: https://www.npmjs.com/package/@pqsafe/openclaw\n- API docs: https://docs.pqsafe.xyz/agent-pay/openclaw\n- AP2-PQ Profile RFC: https://pqsafe.xyz/ap2-pq-rfc\n- NIST FIPS 204: https://csrc.nist.gov/pubs/fips/204/final\n- Source (Apache-2.0): https://github.com/PQSafe/pqsafe/tree/main/plugins/openclaw-pqsafe\n\n## License\n\nApache-2.0 — Security disclosures: security@pqsafe.xyz\n","topics":["Payment"],"tags":{"latest":"0.1.0"},"stats":{"comments":0,"downloads":348,"installsAllTime":13,"installsCurrent":0,"stars":0,"versions":1},"createdAt":1777733438961,"updatedAt":1779076190926},"latestVersion":{"version":"0.1.0","createdAt":1777733438961,"changelog":"Initial release","license":"MIT-0"},"metadata":{"setup":[{"key":"PQSAFE_API_KEY","required":true},{"key":"PQSAFE_KEY_ID","required":false},{"key":"PQSAFE_TEST_MODE","required":false}],"os":["macos","linux","windows"],"systems":null},"owner":{"handle":"rayc0","userId":"s171wgfd7sfc59x26bcq6tfwbs85zya6","displayName":"rayc0","image":"https://avatars.githubusercontent.com/u/97246878?v=4"},"moderation":{"isSuspicious":false,"isMalwareBlocked":false,"verdict":"clean","reasonCodes":["review.llm_review"],"summary":"Review: review.llm_review","engineVersion":"v2.4.24","updatedAt":1780090732785}}