ClawHub

x402-payment-demo

Demo of x402 payment protocol by fetching a protected image. Triggers: 'demo x402-payment'

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 1.4k · 2 current installs · 2 all-time installs
byopen-aibank@Hades-Ye
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to demo an x402 payment flow on TRON and to perform payments/signing. Performing payments on a blockchain typically requires access to a wallet/private key or a signing service. The skill declares no required environment variables, credentials, config paths, or explicit dependency on a signing provider, so the claimed capability is not justified by the declared requirements. The SKILL.md references following another skill ('x402-payment-tron') but that dependency is not declared.
!
Instruction Scope
The instructions are high-level and delegate to the 'x402-payment-tron' skill. They instruct the agent to 'Perform the payment and resource acquisition automatically (handling 402 ... signing permits, etc.)' — this is vague and gives the agent broad discretion about where to obtain signing keys or how to execute payments. There are explicit external endpoints to contact (x402-tron-demo.aibank.io) which is expected, but the instructions do not constrain or describe how to obtain user approval for spending funds or where private keys come from. That could lead to unexpected access to wallets or prompts that the agent handles autonomously.
Install Mechanism
Instruction-only skill with no install spec and no code files. This minimizes disk-write/install risk.
!
Credentials
No environment variables or credentials are declared despite the need to sign blockchain transactions. Reasonable implementations would declare a wallet/private-key provider, hardware/remote signer, or require user confirmation. The absence of any declared credential is disproportionate to the stated task and ambiguous — the skill may implicitly rely on another skill or on the agent having access to signing material, which should be made explicit.
Persistence & Privilege
The skill does not request always:true, does not declare persistent changes, and does not ask to modify other skills or system settings. Model invocation is allowed (platform default), which is expected for user-invocable skills.
What to consider before installing
This skill delegates payment signing but does not say where signing keys or a signing service come from. Before installing or running it: 1) Ask the author for the 'x402-payment-tron' skill content and how signing is performed (local key, hardware wallet, remote signer, or user prompt). 2) Confirm whether the agent will prompt you for explicit approval before any on-chain payment, and whether private keys will ever be accessed from your environment. 3) Review and validate the external demo host (https://x402-tron-demo.aibank.io) and consider testing in a sandbox account with no real funds. 4) If you require safety, disable autonomous invocation or require explicit user confirmation for any payment operations. Providing the referenced dependency (x402-payment-tron) and a clear description of the signing flow would materially reduce my concern.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2
Download zip
latestvk9718hw7z9n30fg8gb6mbb99bh80qha8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖼️ Clawdis

SKILL.md

x402 Payment Demo Skill

This skill demonstrates the x402 payment protocol on the TRON network.

Usage

Simply tell the Agent:

  • "demo x402-payment"

Workflow

  1. Request Resource: When triggered, follow the instructions provided by the x402-payment-tron skill to fetch the protected resource. Use Tron Nile by default:
    • Tron Nile (Default): https://x402-tron-demo.aibank.io/protected-nile
    • Tron Shasta: https://x402-tron-demo.aibank.io/protected-shasta
    • Tron Mainnet: https://x402-tron-demo.aibank.io/protected-mainnet
  2. Handle Payment: Perform the payment and resource acquisition automatically as guided by the protocol (handling 402 Payment Required, signing permits, etc.).
  3. Display & Cleanup: Once the image is retrieved, present it to the user. Immediately delete the local temporary file after the image has been displayed.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…