ClawHub

Eth Payment

v1.0.4

Generate EIP-681 Ethereum payment links and QR codes for any EVM chain. Zero configuration, instant setup for receiving ETH and ERC-20 payments. Use when you...

1· 316·1 current·1 all-time
by@bevanding
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, SKILL.md, and the included Python script all describe generating EIP-681 links and QR codes. No unrelated credentials, binaries, or install steps are requested.
Instruction Scope
SKILL.md instructs the agent/user to install qrcode and pillow and to run the included script; the script only reads its local config, generates links, and can write a PNG file. It does not call remote APIs or read environment secrets. Note: SKILL.md claims 'zero config' but the script relies on the included config/chains.json file (which contains token addresses).
Install Mechanism
No install spec; instruction-only skill. Dependencies are typical Python libraries (qrcode, pillow) installed via pip per README. No downloads from unknown URLs or archive extraction.
Credentials
The skill requires no environment variables or credentials. It operates locally and does not request keys, tokens, or config paths.
Persistence & Privilege
always is false and the skill does not request any elevated persistence or modify other skills/configs. It only writes QR image files to paths given by the user.
Assessment
This package appears to do what it says (generate payment links and local QR codes) and asks for no secrets, but check these before using: 1) Review config/chains.json token addresses — I noticed some entries that look malformed or possibly mistyped (non-hex characters in at least one token address); using incorrect token addresses could create broken or misleading payment requests. 2) Inspect the full Python script for any unexpected network calls or shell calls (the file imports subprocess but the visible parts don't use it — confirm the remainder of the file). 3) Run the tool in a local/sandbox environment first and test with a non-sensitive address to verify outputs. 4) Only install the listed pip packages from PyPI and keep your environment isolated (virtualenv). If you want higher assurance, ask the maintainer for a checksum or official release URL and request fixes for any malformed addresses or syntax issues before using in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk977amaprh5g5nmmzdw4e3wrt983tfxb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments