clawxpay
v1.0.3Pay-per-call API gateway — zero account, zero API key, zero subscription via the x402 protocol. One Base wallet + USDC is all you need to access 250+ profess...
⭐ 0· 314·0 current·0 all-time
byclawxpay@biggggtreee-rgb
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (pay-per-call gateway using a Base wallet and USDC) align with the declared install (an npm package clawxpay-js) and the metadata (wallet path, spending on Base). Nothing obviously unrelated is being requested (no unrelated cloud creds, no system-wide config paths), but the skill's core capability (creating and using a private wallet to pay on-chain) is sensitive and must be proportionate to the stated purpose — which it is, but only marginally.
Instruction Scope
SKILL.md instructs the agent to auto-create a wallet on first install and store the private key at ~/.clawxpay/wallet.key (sensitive). It also mandates asking for user approval before any paid call, which is good practice, but that is a behavioral instruction (a policy), not a technical enforcement. The doc claims the private key is "never transmitted to any server" — that is a promise in prose and cannot be validated from the metadata alone. Because the agent will be performing on-chain payments and calling many third-party APIs, the runtime will need access to wallet keys and signing functionality; this is within scope but high-risk and worth explicit verification.
Install Mechanism
The install spec is an npm/package install (clawxpay-js) producing a binary clawxpay-init. Using npm is expected for a JS SDK, but the package source code is not included in the skill bundle for review. npm packages can execute arbitrary code at install/runtime, so this is a moderate risk — expected but verify the package's provenance and contents before installing.
Credentials
The skill does not request environment variables or external credentials, which is appropriate. However, it writes a wallet private key to a file under the user's home directory; that private key grants the ability to spend USDC on Base mainnet. The metadata claims requiresUserApproval: true, but a required approval flag in metadata is not a technical guarantee — confirm the platform enforces approval prompts and that the private key is isolated. Requesting no env vars while creating a local, spend-capable key is sensible, but the sensitivity of that key makes this proportionality a security concern.
Persistence & Privilege
always:false (good). The skill is user-invocable and allowed to be invoked autonomously (disable-model-invocation:false), which is normal, but because this skill handles payments and holds signing keys, autonomous invocation increases blast radius if combined with malicious behavior. The metadata includes storage of a sensitive key; ensure the skill cannot modify other skills or system-wide settings (none are declared).
What to consider before installing
This skill implements on-chain payments and auto-creates a wallet private key stored on your machine — that key can spend USDC on Base. Before installing: (1) inspect the npm package (clawxpay-js) source or the vendor's repository to confirm it does what the README claims; (2) ensure the platform enforces the "requiresUserApproval" flow (don't rely only on prose); (3) use a dedicated low-balance wallet if you decide to proceed (limit funds to the minimum you are willing to risk); (4) verify that the wallet.key file is created with 0600 permissions and is not uploaded anywhere; (5) prefer installing in an isolated environment or sandbox first and review the binary's behavior; and (6) confirm the homepage and publisher identity/trustworthiness (unknown owner ID in registry). If you cannot review the package or verify approval enforcement, avoid installing or grant only minimal funds.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
💳 Clawdis
Install
Node
Bins: clawxpay-init
npm i -g clawxpay-jslatest
clawxpay@biggggtreee-rgb
Download💳 clawxpay — Pay-per-Call API Gateway
250+ professional APIs on demand · from $0.001 per call · one wallet, all data
The Story
A DeFi arbitrage Agent needed to query simultaneously every day: BTC funding rate (coinank), ETH options implied volatility (polygon), whale net-flow signal (nofxos), and then call DeepSeek to generate a trade summary.
The old way: 4 platforms, 4 sets of API keys, 4 subscriptions — just the monthly fees added up to $200+, plus constant worry about key leaks and quota exhaustion.
Now: install clawxpay — a wallet is auto-created on first install — pay per call. That day the Agent ran 1,200 calls and spent a total of $1.87 USDC. No subscription. No registration. No key management.
When to Use This Skill
Before making any paid call, always tell the user which endpoint will be called and the estimated cost, then wait for explicit approval. Never initiate spending autonomously without user confirmation.
Use clawxpay whenever a user or Agent encounters any of the following scenarios:
Scenario 1: Price & Market Data Queries
Trigger keywords: current price, quote, latest price, change %, market cap, volume, candlestick, OHLCV
Covered assets: crypto, US stocks, ETFs, forex, commodities, metals
Data sources:
coinank— BTC / ETH / altcoin real-time quotes, BTC ETF net flow, spot-futures spreadcoinmarketcap— full-market quotes, top gainers/losers, DEX pair searchalphavantage— US stock real-time quote, daily OHLCV, pre/after-market, today's moverspolygon— US stock aggregated candlesticks (minute/hour/day), real-time snapshot, order book dataalpaca— latest US stock quote, batch multi-ticker snapshottwelvedata— forex rates, gold/silver/crude oil, multi-asset cross-pair prices, economic calendar events
Example trigger phrases:
- "What is BTC trading at right now?"
- "How much did Tesla gain today?"
- "Give me the last 24h ETH/USDT candlesticks"
- "Top 10 US stock gainers today"
- "What is USD/JPY right now?"
Scenario 2: Technical Analysis & Quant Signals
Trigger keywords: RSI, MACD, Bollinger Bands, moving average, golden cross, death cross, overbought, oversold, technical indicator, OI, funding rate, long/short ratio
Data sources:
alphavantage— RSI / MACD / EMA / SMA / BBANDS / STOCH and full technical indicator suitepolygon— US stock SMA / EMA, options Greeks (Delta / Gamma / Vega / Theta)twelvedata— multi-asset technical indicators covering crypto + US stocks + forexnofxos— crypto OI (open interest) ranking, net inflow/outflow, Long/Short Ratio, AI trade signalscoinank— perpetual funding rate, liquidation history, order book depth, per-exchange data (Binance/OKX/Bybit)
Example trigger phrases:
- "What is the BTC daily RSI? Is it overbought?"
- "Is the ETH perpetual funding rate positive or negative right now?"
- "Has the Nasdaq 100 MACD crossed bullish?"
- "Which side is heavier in crypto right now — longs or shorts?"
- "How has SOL's OI changed in the last 24 hours?"
Scenario 3: Market Sentiment & On-chain Data
Trigger keywords: fear & greed index, market sentiment, whale, large players, liquidation, on-chain, capital flow, trending, heatmap
Data sources:
coinank— Fear & Greed index, whale net buy/sell, BTC ETF institutional inflow, exchange net flow, large liquidation ordersnofxos— Upbit trending (Korean market sentiment indicator), crypto heatmap, on-chain net-flow signal, AI sentiment classificationcoinmarketcap— full-market listing updates, new token launches, DEX pair activity
Example trigger phrases:
- "What is the current Fear & Greed index?"
- "Have any whales been accumulating BTC recently?"
- "How much was liquidated in crypto today?"
- "What tokens are trending on Upbit today?"
- "Did BTC ETF have a net inflow or outflow yesterday?"
- "Is the exchange BTC balance declining?"
Scenario 4: Web3 Projects & Funding Intelligence
Trigger keywords: funding, investment, VC, project background, who invested, ecosystem, hiring, airdrop, hot projects
Data sources:
rootdata— Web3 project funding rounds and amounts, investor profiles, ecosystem project lists, team job changes, trending project rankings
Example trigger phrases:
- "Which projects has a16z invested in recently?"
- "Who invested in this project, and how much did they raise?"
- "What new projects have launched in the Solana ecosystem lately?"
- "What are the top 5 on today's Web3 funding trending list?"
- "Which DeFi projects are in Paradigm's portfolio?"
Scenario 5: China A-Share Market
Trigger keywords: A-share, Shanghai-Shenzhen, northbound capital, margin financing, Dragon Tiger List, fundamentals, earnings, Hong Kong stocks
Data sources:
tushare— A-share daily OHLCV, stock fundamental data, northbound capital net inflow/outflow, margin balance changes, Dragon Tiger List large-order seats
Example trigger phrases:
- "How much northbound capital flowed into Kweichow Moutai today?"
- "Which stocks are on today's A-share Dragon Tiger List?"
- "What are the latest fundamentals for CATL?"
- "How much did the two-margin balance change today?"
- "Monthly daily candlestick data for the CSI 300"
Scenario 6: AI Inference & Content Generation
Trigger keywords: analyze, summarize, translate, generate report, write code, reasoning, answer questions, image generation, embeddings
Available models:
| Provider | Models |
|---|---|
| OpenAI | GPT-4o, GPT-4o-mini, o1, o3-mini |
| Anthropic | Claude Opus |
| DeepSeek | DeepSeek-Chat, DeepSeek-Reasoner, DeepSeek-Coder |
| Qwen | Qwen-Max, Qwen-Plus, Qwen-Turbo, Qwen-Coder, Qwen-VL |
| Gemini | Gemini 1.5 Pro, Gemini 1.5 Flash |
| Grok | Grok-2, Grok-2-Vision |
| Kimi | Moonshot-v1-8k, Moonshot-v1-32k, Moonshot-v1-128k |
Example trigger phrases:
- "Use DeepSeek to help me analyze this on-chain data"
- "Call Claude to generate today's crypto market summary"
- "Use GPT-4o to write a Python strategy script for me"
- "Use Qwen-VL to analyze this candlestick chart screenshot"
- "Help me translate this English research report"
Cost & Privacy
| Item | Cost (USDC) |
|---|---|
| Market & price queries | $0.001 – $0.003 |
| Technical indicators & quant signals | $0.002 – $0.005 |
| Market sentiment & on-chain data | $0.003 – $0.008 |
| Funding intelligence & project research | $0.005 – $0.010 |
| A-share data | $0.002 – $0.005 |
| AI inference (lightweight) | $0.005 – $0.015 |
| AI inference (flagship models) | $0.015 – $0.060 |
| Settlement chain | Base mainnet |
| Payment method | Local-signed EIP-3009 USDC (private key never leaves your machine) |
| Identity | No account · No API key · Wallet is your identity |
Safeguards & Spending Controls
Key storage
| Item | Detail |
|---|---|
| File | ~/.clawxpay/wallet.key |
| Format | Plain hex private key (0x…), one line |
| Permissions | 0600 — owner read/write only |
| Transmission | Never — only the EIP-3009 authorization signature leaves the machine; the private key itself does not |
| Export | cat ~/.clawxpay/wallet.key — import into MetaMask or any EVM wallet |
Mandatory agent safeguards
An agent using this skill must follow these rules:
- NEVER expose the private key — do not read, print, log, or transmit the contents of
~/.clawxpay/wallet.keyunder any circumstances. If asked for wallet information, respond with the address only viaclient.getWalletAddress(). The private key is never needed at runtime. - Check balance before first call — always call
client.getBalance()at the start of a task and show the result to the user. If balance is 0 or insufficient, stop and ask the user to deposit USDC before proceeding. - Inform before spending — state the endpoint and cost range before calling; wait for user confirmation.
- Set a per-task budget cap — always pass
budgetto prevent runaway spending:
// Recommended: cap spend at $0.50 USDC per task
const client = new ClawXPay({ budget: 0.50 });
- Use a dedicated low-balance wallet — keep only the minimum funds needed (e.g. $5–$10 USDC). Do not deposit significant assets into this wallet.
- Never retry a failed 402 — a
402 Payment Requirederror means the on-chain payment was rejected. Check balance withclient.getBalance()and ask the user to top up; do not loop and retry automatically. - Audit spend after each task — call
client.getTotalSpent()and report cost to the user.
Spending cap behavior
When the budget ceiling is reached, the SDK throws InsufficientBalanceError immediately — no further calls are made:
import { ClawXPay, InsufficientBalanceError } from 'clawxpay-js';
const client = new ClawXPay({ budget: 0.50 });
try {
const data = await client.get('/crypto/price', { symbol: 'BTC' });
} catch (err) {
if (err instanceof InsufficientBalanceError) {
// budget exceeded — agent must stop and report to user
console.warn('Budget cap reached:', client.getTotalSpent(), 'USDC spent');
}
}
Quick Start
1. Install the SDK
npm install clawxpay-js
A wallet is automatically generated at ~/.clawxpay/wallet.key and the address is printed in your terminal during installation.
2. Fund your wallet
Send USDC on Base network to the address printed above. Recommended deposit: $5–$10 USDC — enough for thousands of API calls.
Bridge USDC to Base: https://bridge.base.org
3. First call
import { ClawXPay } from 'clawxpay-js';
// Always set a budget cap to prevent unexpected spending
const client = new ClawXPay({ budget: 0.50 }); // max $0.50 USDC per task
// Query BTC real-time price
const price = await client.get('/crypto/price', { symbol: 'BTC' });
console.log(price);
// Call DeepSeek for inference
const reply = await client.post('/llm/deepseek/chat', {
model: 'deepseek-chat',
messages: [{ role: 'user', content: 'Analyze the current BTC market structure' }],
});
console.log(reply);
The SDK automatically handles the x402 payment handshake: receives 402 Payment Required → signs locally → retries the request. No manual intervention needed.
Agent Quick Pattern
This is the canonical script for an agent to use clawxpay. Copy it directly — do not try to use
clawxpayas a shell command; it is an SDK, not a CLI tool.
Important: clawxpay-js is an ESM-only package. Always save scripts as .mjs files (or use "type": "module" in your package.json), and use import — never require().
// save as: query.mjs
// run with: node query.mjs
import { ClawXPay, InsufficientBalanceError, PaymentFailedError } from 'clawxpay-js';
// debug: true prints every step of the x402 payment flow to the console
const client = new ClawXPay({ budget: 0.50, debug: true });
// Step 1: always check balance before any paid call (free, reads chain directly)
const balance = await client.getBalance();
const address = client.getWalletAddress();
console.log(`Wallet : ${address}`);
console.log(`Balance: ${balance} USDC`);
if (parseFloat(balance) < 0.01) {
console.error('Insufficient balance. Please deposit USDC on Base to:', address);
process.exit(1);
}
// Step 2: tell the user what you are about to call and how much it will cost,
// then wait for confirmation before proceeding.
// Step 3: make the paid API call
try {
const result = await client.get('/crypto/price', { symbol: 'ETH' });
console.log('Result:', JSON.stringify(result, null, 2));
// Step 4: verify payment was actually settled on-chain
const receipt = client.getLastReceipt();
if (receipt) {
console.log(`Cost : ${receipt.amount} USDC`);
if (receipt.settled) {
console.log(`On-chain tx: ${receipt.txHash}`);
} else {
console.warn('⚠ Payment accepted by gateway but no on-chain txHash — verify at https://basescan.org/address/' + address);
}
}
} catch (err) {
if (err instanceof InsufficientBalanceError) {
const bal = await client.getBalance();
console.error(`Balance insufficient — current: ${bal} USDC. Please top up.`);
} else if (err instanceof PaymentFailedError) {
// PaymentFailedError means the SDK DID attempt the x402 payment but the gateway rejected it.
// This is NOT "you forgot to pay" — do NOT ask the user to deposit more.
// Instead: check gateway status, or inspect debug logs above for the specific rejection reason.
console.error('Payment was attempted but gateway rejected it:', err.message);
console.error('Do NOT retry automatically — check gateway status first.');
} else {
throw err;
}
}
Troubleshooting
| Symptom | Cause | Fix |
|---|---|---|
Cannot find module 'clawxpay-js' | Package not installed | npm install clawxpay-js |
require is not defined in ES module scope | clawxpay-js is ESM-only; require() does not work | Save file as .mjs and use import instead |
clawxpay: command not found | clawxpay-js is an SDK, not a CLI | Do not use it as a shell command; write a .mjs script and run node script.mjs |
PaymentFailedError thrown | The SDK already attempted x402 payment but the gateway rejected it. This does NOT mean "you forgot to pay" — do not ask the user to deposit more USDC. | Enable debug: true, read the rejection reason in logs, check gateway status |
Error 402 before any PaymentFailedError | Raw 402 from a different error (script crashed before SDK loaded) | Check that your .mjs file loads without errors first; run node --input-type=module <<< "import 'clawxpay-js'" |
receipt.settled === false after success | Gateway accepted the call but did not return a txHash — payment may not be on-chain | Check https://basescan.org/address/<wallet> to see if USDC left the wallet; report to gateway operator |
Balance shows 0 after depositing | Deposit still pending, or sent to wrong network | Wait ~30 s and retry; confirm deposit was on Base mainnet, not Ethereum mainnet |
budget exceeded / InsufficientBalanceError from budget | Crossed the budget ceiling set in new ClawXPay({ budget: N }) | Increase the budget value or top up wallet |
Advanced Usage
Chained calls: fetch data first, then AI analysis
// Step 1: Get BTC funding rate + Fear & Greed index
const [fundingRate, fearGreed] = await Promise.all([
client.get('/crypto/funding-rate', { symbol: 'BTC' }),
client.get('/crypto/fear-greed'),
]);
// Step 2: Feed the data to Claude for a market direction call
const analysis = await client.post('/llm/anthropic/messages', {
model: 'claude-opus-20250219',
messages: [{
role: 'user',
content: `Funding rate: ${fundingRate.value}, Fear & Greed: ${fearGreed.value}. What is your market direction call?`,
}],
});
Handling insufficient balance
import { InsufficientBalanceError } from 'clawxpay-js';
try {
const data = await client.get('/stock/quote', { symbol: 'TSLA' });
} catch (err) {
if (err instanceof InsufficientBalanceError) {
console.warn('Insufficient USDC balance — please top up your Base wallet');
}
}
Check the cost of the last call
const receipt = await client.getLastReceipt();
console.log(`Last call cost: ${receipt.amount} USDC, endpoint: ${receipt.endpoint}`);
Risk management recommendations
- Recommended per-task Agent spend cap: $0.50 USDC
- For high-frequency scenarios (> 50 calls/min) please contact us to enable a bulk channel
- Real-time market endpoints are cached (10 seconds) — identical requests will not be charged twice
All Supported Endpoints
Full endpoint documentation: https://clawxpay.com/docs
| Category | Provider | Endpoints |
|---|---|---|
| Crypto market & on-chain | coinank | 78 |
| Crypto sentiment & signals | nofxos | 18 |
| Crypto quotes & rankings | coinmarketcap | 5 |
| US stock market & indicators | alphavantage | 19 |
| US stock candlesticks & options | polygon | 25 |
| US stock quotes & bars | alpaca | 15 |
| Multi-asset & forex | twelvedata | 18 |
| China A-share market | tushare | 16 |
| Web3 funding intelligence | rootdata | 19 |
| AI inference | OpenAI / Anthropic / DeepSeek / Qwen / Gemini / Grok / Kimi | ~35 |
| Total | ~253 |
Comments
Loading comments...