ClawHub

Kash - Agentic Payment Provider

v1.0.7

Pay for APIs, tools, and services from your agent's Kash wallet. Spends below $5 are autonomous; above $5 requires explicit user YES. Requires KASH_KEY and K...

2· 366·0 current·0 all-time
by@devfaraaz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the implementation: the skill only requires KASH_KEY and KASH_AGENT_ID and provides functions to spend and check balance via api.kash.dev. No unrelated credentials, binaries, or install steps are requested.
Instruction Scope
SKILL.md and tools.ts both instruct the agent to call kash_spend before paid operations and to require user confirmation for spends above the threshold; they do not request reading unrelated files or secrets. Rules are explicit and scoped to payment actions.
Install Mechanism
There is no install step beyond an instruction-only skill plus a small TypeScript tool file. No external downloads, installers, or package installs are included.
Credentials
Only KASH_KEY and KASH_AGENT_ID are required (KASH_BUDGET and KASH_API_URL are optional). This is proportionate for a payment provider. Note: by design, small spends below the confirmation threshold (default $5) are allowed autonomously — users should be aware of this implicit risk and configure KASH_SPEND_CONFIRMATION_THRESHOLD or KASH_BUDGET if they want stricter controls.
Persistence & Privilege
The skill is not forced-always and does not request elevated system-wide privileges. It can be invoked autonomously (platform default), which is expected for a payment skill; combine that with budget/threshold settings when assessing risk.
Assessment
This skill appears to do what it says: it will send your KASH_KEY to api.kash.dev to make payments. Before installing, consider: 1) Keep KASH_KEY secret and only obtain it from kash.dev; never paste it in chat. 2) If you don't want any autonomous spending, set KASH_SPEND_CONFIRMATION_THRESHOLD=0 so every spend requires an explicit YES. 3) Set a conservative KASH_BUDGET (e.g., small session cap) to limit exposure. 4) Do not set KASH_API_URL to an untrusted domain — the skill allows only api.kash.dev and localhost. 5) Monitor kash.dev/dashboard/transactions and be ready to pause the agent if you see unexpected charges. These mitigations reduce the main risk: automated small charges that occur without per-transaction confirmation.

Like a lobster shell, security has layers — review code before you run it.

latestvk9704d17kn2pbvvedwtqqdytj581v5t8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💳 Clawdis
EnvKASH_KEY, KASH_AGENT_ID
Primary envKASH_KEY

Comments