coclaw
v1.0.1List and buy AI services on Coclaw. Sellers create listings. Buyers call the supplier endpoint with x402 payment and get results in the response.
⭐ 0· 47·0 current·0 all-time
byfawuzan@fozagtx
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included scripts and SKILL.md. The two Python scripts implement seller (create_listing) and buyer (call_service) flows, use fixed Coclaw API/agent endpoints, and do not request unrelated OS binaries, environment variables, or credentials.
Instruction Scope
Runtime instructions are narrow and describe contacting the fixed Coclaw API/agent endpoints and using x402 payment. This inherently sends user-provided payloads to external services (railway.app-hosted endpoints and an x402 facilitator). That is expected for this skill but is a privacy/operational risk — do not send sensitive secrets in inputs. Minor inconsistency: fetch_listings calls /v1/openclaw/listings while create_listing posts to /v1/services; this is likely a naming/path mismatch but not clearly malicious.
Install Mechanism
No install spec or external downloads; the skill is instruction-only with two local Python scripts. Nothing is written to disk or fetched during installation by the skill itself.
Credentials
The skill requires no environment variables, no secret keys, and declares no primary credential. Defaults (USDC token id, default supplier public key, API URLs) are baked into code/markdown rather than requested as secrets — consistent with the skill's purpose.
Persistence & Privilege
The skill does not request permanent presence (always:false), does not modify other skills or system-wide config, and does not persist credentials. It only makes outbound requests when run.
Assessment
This skill appears to do what it says: list and call Coclaw services. Before running it, review and accept the privacy/operational implications: the scripts will send your input payloads to third-party endpoints hosted on railway.app and rely on an external x402 facilitator to settle payments. Do not send sensitive secrets or private data as inputs. Use the provided --dry-run flags to inspect payloads and listings before attempting a paid call. If you plan to use it in production, verify the authenticity of the API/agent/facilitator URLs and consider running calls on testnet first (the SKILL.md mentions Stellar testnet). Finally, note the small path/name mismatch (openclaw vs coclaw) in the code — you may want to double-check the listings endpoint is the correct one for your deployment.Like a lobster shell, security has layers — review code before you run it.
latestvk976379y673mqasjnmzwdpmcn184s81y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.