openkrill
v1.0.0Enable AI agents to make micropayments via x402 protocol. Use when purchasing browser sessions on Browserbase, scraping with Firecrawl, or any x402-compatible API. Handles wallet creation, funding, and automatic payment flows.
⭐ 1· 1.4k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description request a thirdweb secret key and the code files (wallet creation, check-balance, fetch-with-payment, fund-wallet, discovery, create-email) all use the thirdweb APIs and Mail.tm as described. The single required env var (THIRDWEB_SECRET_KEY) is consistent with the skill's payment/wallet functionality.
Instruction Scope
SKILL.md instructs the agent to create/check server wallets, call thirdweb's x402 fetch endpoint, and create disposable email accounts. Those actions match the stated purpose, but create-email.ts persists disposable-email credentials to a local file (.agent-emails.json) unencrypted, which is a privacy/persistence concern that users should know about.
Install Mechanism
The registry metadata declares no required binaries and no install spec, but all scripts use a npx ts-node shebang and therefore effectively require Node.js and ts-node (or npx to fetch it). That mismatch is an operational risk: running the provided scripts may rely on npx fetching packages at runtime (network + npm), which is a supply-chain/execution risk not declared in the skill metadata.
Credentials
Only THIRDWEB_SECRET_KEY is required, which is appropriate for the thirdweb-based payment flows, but this secret is powerful (can create/manage server wallets and initiate payments). The skill also optionally uses/reads/writes wallet addresses and local email credentials. Ensure the provided secret has appropriate scope and billing protections.
Persistence & Privilege
always:false (good). The skill persists state locally (e.g., .agent-emails.json and may store wallet identifier/address). This local persistence is expected for its purpose but may contain tokens/passwords and should be treated as sensitive data.
Assessment
What to consider before installing:
- The skill legitimately needs a thirdweb project secret key (THIRDWEB_SECRET_KEY). That key can create/manage wallets and invoke payments — only provide it if you trust the code and are prepared for potential charges. Prefer using a dedicated thirdweb project with limited funds/billing alerts rather than a production key.
- The package contains TypeScript scripts that expect Node.js/ts-node (shebang uses npx ts-node). The skill metadata didn't declare this; running scripts may cause npx to fetch packages from the npm registry at runtime. If you plan to run the scripts, install Node/ts-node locally and inspect the code rather than relying on npx to pull remote packages.
- create-email.ts stores disposable email credentials in .agent-emails.json in the current working directory (unencrypted). If you use the email automation, review and securely delete or move that file if it contains data you don't want persisted.
- Financial risk: the skill can initiate payment flows via thirdweb. Test on a testnet or isolated project with a small budget before using on mainnet. Configure billing alerts and limits on your thirdweb/account to avoid unexpected charges.
- If you need stronger guarantees, review the code yourself (it's provided), run in an isolated environment, and rotate the THIRDWEB_SECRET_KEY after testing. Consider disabling autonomous invocation for agents that you don't fully trust to prevent unattended spending or email/account creation.Like a lobster shell, security has layers — review code before you run it.
latestvk978xsg7zr0n96xcjr8yfnrqed808g43
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvTHIRDWEB_SECRET_KEY
Primary envTHIRDWEB_SECRET_KEY