Ghost Protocol OpenClaw Pay
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a real crypto/payment integration; it is coherent and disclosed, but it can spend with a private signer key against merchant endpoints without an enforced confirmation step.
Install only if you intend to let OpenClaw perform real Ghost/x402 payment flows. Use a restricted signer key, require manual confirmation for live paid requests, keep merchant endpoints allowlisted, run dry-runs first, avoid unlimited approval modes unless explicitly intended, and pin or lock npm dependencies before production use.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent invocation could cause a real paid request to a merchant endpoint up to the configured amount cap.
The helper can perform a live signer-authorized x402 payment to a supplied merchant URL, and dry-run mode is not the default. This is purpose-aligned but high-impact and lacks an enforced approval gate.
const url = normalizeOptionalString(args.url || process.env.GHOST_OPENCLAW_X402_URL); ... const dryRun = toBool(args["dry-run"], false); ... const fetchWithPayment = wrapFetchWithPayment(globalThis.fetch, signer, BigInt(maxAmountAtomic)); const response = await fetchWithPayment(url, ...);
Require explicit user confirmation for every live paid call, allowlist merchant endpoints/service slugs, keep a low max amount, and use --dry-run true before any new merchant or runtime.
If the signer key is exposed or over-privileged, it could authorize payments or settlement signatures outside the user's intent.
The skill needs a private signer key for its payment function and does not show hardcoded or logged keys, but accepting the key as a CLI argument can expose it via shell history or process listings.
const privateKey = normalizeOptionalString(args["private-key"] || process.env.GHOST_SIGNER_PRIVATE_KEY);
Store the key only in a secret manager or protected environment variable, avoid --private-key on the command line, and use a scoped/budget-limited signer where possible.
A future dependency resolution could change code that handles payments or private-key signing.
The payment/signing path depends on npm packages with moving caret ranges, and no lockfile is present in the provided manifest.
"dependencies": { "viem": "^2.21.0", "x402": "^1.1.0", "x402-fetch": "^1.1.0" }Install from a trusted source with a reviewed lockfile or pinned dependency versions, especially in production signer environments.
Webhook secrets or sensitive task metadata could be shared with the configured provider endpoint if used carelessly.
The optional GhostWire flow can send webhook URLs, webhook secrets, request prompts, and metadata to the configured GhostWire API endpoint.
const webhookUrl = String(args["webhook-url"] || process.env.GHOSTWIRE_WEBHOOK_URL || "").trim(); const webhookSecret = String(args["webhook-secret"] || process.env.GHOSTWIRE_WEBHOOK_SECRET || "").trim(); ... webhookUrl: webhookUrl || undefined, webhookSecret: webhookSecret || undefined
Use webhook secrets only with trusted GhostWire endpoints, rotate them if exposed, and avoid putting unnecessary sensitive data in request prompts or metadata.