ClawHub

SafeLink

v0.1.4

Secure agent-to-agent hiring and execution skill for OpenClaw MCP with escrowed settlement, x402 facilitator payments, ERC-8004 identity/reputation checks, s...

1· 298·0 current·0 all-time
by@licc921

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for licc921/safelink.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "SafeLink" (licc921/safelink) from ClawHub.
Skill page: https://clawhub.ai/licc921/safelink
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install licc921/safelink

ClawHub CLI

Package manager switcher

npx clawhub@latest install safelink
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (A2A hiring, escrow, x402, ERC-8004, MPC wallets) align with the provided source files (escrow, x402, input-gate, MPC wallet integration, approvals, deploy scripts). HOWEVER the registry summary at the top of the submission states 'Required env vars: none' and 'No install spec / instruction-only' while the SKILL.md and package.json/code clearly expect many environment variables and include full source code. This metadata mismatch is unexpected and should be clarified.
Instruction Scope
SKILL.md and scripts instruct the operator to run an interactive setup that collects LLM keys, Coinbase/Privy credentials, and a DEPLOYER_PRIVATE_KEY (one-time) and writes them to a local .env. The setup tests keys by making remote calls (Anthropic, Privy, RPC, facilitator). These behaviours are coherent with the stated purpose (credential checking, onboarding), but they do transmit tester requests to third-party endpoints as part of validation — review that you trust the endpoints and prefer testing with throwaway/testnet credentials.
Install Mechanism
No install spec in registry (instruction-only) and package.json uses normal npm dependencies from known packages. There are no suspicious external download URLs in the provided files; deploy script invokes Foundry (forge) via child_process, which is expected for contract deployment. Overall the install footprint is standard for a Node/Foundry project.
!
Credentials
The skill requires multiple high-sensitivity variables (ANTHROPIC_API_KEY or LLM_API_KEY, COINBASE_CDP_API_KEY_PRIVATE_KEY or PRIVY_APP_SECRET, DEPLOYER_PRIVATE_KEY for contract deployment, optional TASK_AUTH_SHARED_SECRET, REDIS_URL, etc.). These are reasonable for a payment/escrow/MPC tool, but the registry metadata failed to declare them. The one-time DEPLOYER_PRIVATE_KEY usage is documented, but storing keys in .env and the setup testing behavior increases risk if users supply production/mainnet credentials. Verify use of throwaway keys for deployment and prefer Privy/Coinbase MPC options if you want reduced local key exposure.
Persistence & Privilege
The skill does not set always:true. It can start an HTTP server (safe_listen_for_hire) bound to TASK_SERVER_PORT (default 127.0.0.1:3402) when asked, and writes .env via setup scripts. These are expected capabilities for an MCP server but mean the skill can open network listeners and store local credentials/config — run in isolated environments and confirm binding to loopback before exposing externally.
Scan Findings in Context
[ignore-previous-instructions] expected: SKILL.md and README explicitly state tests contain adversarial strings (e.g. 'Ignore all previous instructions') used as fixtures for the input-gate. The presence of the pattern in test fixtures is expected and documented; still surface this to reviewers because prompt-injection strings appear in the repo content.
What to consider before installing
Key points before installing or running SafeLink: - Metadata mismatch: the registry metadata claims 'no required env vars / instruction-only' but the included SKILL.md and code expect many sensitive environment variables (LLM keys, Coinbase/Privy credentials, DEPLOYER_PRIVATE_KEY, optional shared secrets). Treat that inconsistency as a red flag and ask the publisher to clarify. - Secrets handling: the interactive setup writes a .env and tests credentials by making network requests. Always use throwaway testnet keys (and not mainnet production keys) when first testing. If you must deploy to mainnet, follow the SKILL.md guidance to use a throwaway DEPLOYER_PRIVATE_KEY for contract deployment and then discard it. - Review endpoints: the default facilitator URL and other endpoints are external (e.g., https://x402.org/facilitator, Anthropic, Privy). Confirm you trust those services before providing API keys. The code performs some validation (chainId/token checks) but will still transmit auth tokens as part of validation/payment flows. - Network exposure: safe_listen_for_hire starts an HTTP server bound to a port (default 127.0.0.1). Verify it is bound to loopback in your environment and that you do not accidentally expose it to the public internet or an unrestricted reverse proxy. - Audit the code paths you care about: if you only plan to use escrow/x402 flows, inspect src/payments/*, src/security/* and wallet providers to ensure they meet your security requirements. Pay special attention to deploy scripts (scripts/deploy-contracts.ts) which execute forge and require a funded private key. - Verify publisher and provenance: SKILL.md points to a GitHub repo (https://github.com/charliebot8888/SafeLink) but registry 'Source' was unknown and homepage missing in the registry metadata. Confirm the repository origin, review commit history, and prefer installing from an audited/official source. - Run in a sandbox first: install and run in an isolated environment (container or VM) with network egress controls and testnet/throwaway secrets. Ask the author to correct registry metadata before granting production credentials. If you want, I can: 1) list the exact env vars the code expects, 2) point out every place keys are transmitted in the code, or 3) produce minimal run instructions for a safe local test using throwaway/testnet credentials.

Like a lobster shell, security has layers — review code before you run it.

a2avk979q8c3b6r2z1qekwz8jx3vx582a1hzagentic-walletvk979q8c3b6r2z1qekwz8jx3vx582a1hzerc-8004vk979q8c3b6r2z1qekwz8jx3vx582a1hzescrowvk979q8c3b6r2z1qekwz8jx3vx582a1hzlatestvk979q8c3b6r2z1qekwz8jx3vx582a1hzmcpvk979q8c3b6r2z1qekwz8jx3vx582a1hzpaymentsvk979q8c3b6r2z1qekwz8jx3vx582a1hzproductionvk979q8c3b6r2z1qekwz8jx3vx582a1hzsecurityvk979q8c3b6r2z1qekwz8jx3vx582a1hzweb3vk979q8c3b6r2z1qekwz8jx3vx582a1hzx402vk979q8c3b6r2z1qekwz8jx3vx582a1hz
298downloads
1stars
5versions
Updated 1mo ago
v0.1.4
MIT-0
@licc921
a2aagentic-walleterc-8004escrowlatestmcppaymentsproductionsecurityweb3x402
Download

SafeLink

Production-grade OpenClaw skill for safe bidirectional hire-agent and execute-agent flows.

Brand and Discovery

SafeLink is designed for trusted agent economies:

  • tagline: Secure A2A hiring, settled by proof
  • target users: OpenClaw developers, MCP operators, agent marketplaces
  • recommended ClawHub tags:
    • security
    • web3
    • a2a
    • payments
    • escrow
    • x402
    • erc-8004
    • agentic-wallet
    • mcp
    • production

Design Goals

  • Default-safe operations with explicit escalation for risk.
  • Zero private key exposure through MPC wallet providers.
  • Proof-before-settlement: no proof, no release.
  • Deterministic validation and replay defenses.
  • Fast onboarding: one-call wallet setup and beginner-safe examples.

Security Guarantees

SafeLink enforces the following guarantees in runtime code paths:

  1. Wallet custody
  • Private keys are never loaded into app memory.
  • Signing is delegated to Coinbase AgentKit MPC or Privy MPC.
  1. Settlement safety
  • Escrow deposit happens before task execution.
  • Release requires proof hash equality with on-chain commitment.
  • Failed delivery and invalid proofs trigger refund path.
  1. Replay and race protection
  • Receipt replay reservation/used state is enforced.
  • Idempotency lock prevents concurrent duplicates.
  • Completed idempotency keys are blocked for reuse (terminal dedupe window).
  1. Input and endpoint hardening
  • Strict zod validation on tool inputs.
  • PII redaction for task and intent text.
  • Endpoint URL checks include scheme, hostname denylist, private IP range checks, and DNS resolution checks to prevent SSRF pivots.
  1. Transaction execution safety
  • Simulate before signing.
  • Risk score and flags decide gating path.
  • High-risk actions require explicit confirmation.

Industry Alignment Matrix

Reference themes: x402 v2 facilitator model, ERC-8004 reputation/verification tiers, proof-before-settlement, cryptoeconomic reputation, opaque A2A execution, gas-aware risk controls, zkML/TEE extensibility.

  • x402 facilitator flow: Partially covered
    • covered: requirements/pay/verify flows, domain checks, timeout handling
    • gap: SIWx auth binding, batch settlement primitive, sponsored gas ergonomics
  • ERC-8004 base identity/reputation: Covered
    • covered: register, getAgent, active checks, threshold gating
    • gap: tiered verification fields and verifier lifecycle
  • Proof-before-settlement: Covered
    • covered: deterministic proof commitment and strict on-chain proof match
  • Reputation cryptoeconomics: Partially covered
    • covered: escrow success/failure reputation updates, minimum threshold checks
    • gap: robust Sybil graph scoring, stake/slash challenge economics
  • A2A opaque execution: Partially covered
    • covered: minimal metadata task payload and policy gates
    • gap: encrypted envelope mode and selective disclosure controls
  • Gas and DoS hardening: Partially covered
    • covered: simulation gas checks, request body limits, concurrency cap, timeout controls
    • gap: adaptive rate control, weighted queues, quota market controls
  • zkML/TEE hooks: Partially covered
    • covered: tool fields and hook placeholders
    • gap: real attestation verification and circuit verifier integration

Tool Contract (Production)

setup_agentic_wallet

Purpose: Create or load an MPC wallet and return balance/network readiness.

Parameters:

  • provider (optional): "auto" | "coinbase" | "privy"
    • auto: choose Coinbase when available, else Privy

Returns:

{
  "provider": "coinbase",
  "wallet_id": "wallet_...",
  "address": "0x...",
  "eth_balance": "0.120000 ETH",
  "usdc_balance": "12.50 USDC",
  "network": "base-sepolia",
  "network_id": 84532,
  "ready": true,
  "setup_note": "optional"
}

Safety notes:

  • Never return secrets.
  • If user selects a provider explicitly, honor that choice.
  • Fail with actionable configuration guidance.

Example:

{
  "tool": "setup_agentic_wallet",
  "arguments": { "provider": "auto" }
}

safe_hire_agent

Purpose: Hire one agent with escrow + x402 + proof verification.

Parameters:

  • target_id: 0x... agent address
  • task_description: text task
  • payment_model: "per_request" | "per_min" | "per_execution"
  • rate: number USDC
  • idempotency_key (optional): dedupe key
  • policy (optional): runtime constraints
  • confirmed (optional): explicit high-risk confirmation

Returns:

{
  "task_id": "...",
  "escrow_id": "0x...",
  "result": {},
  "proof_hash": "0x...",
  "status": "completed",
  "reputation_score_at_hire": 82,
  "amount_paid_usdc": 0.05,
  "idempotency_key": "hire-..."
}

Safety notes:

  • Blocks low-reputation targets.
  • Enforces strict endpoint validation including DNS/IP checks.
  • Refuses invalid proofs and refunds escrow.

Example:

{
  "tool": "safe_hire_agent",
  "arguments": {
    "target_id": "0xabc123...",
    "task_description": "Summarize this PR and list top 3 security risks.",
    "payment_model": "per_request",
    "rate": 0.05,
    "idempotency_key": "hire-pr-2026-03-05"
  }
}

safe_execute_tx

Purpose: Intent-to-transaction execution pipeline with mandatory simulation and risk gating.

Parameters:

  • intent_description: plain-English tx intent
  • confirmed (optional): high-risk confirmation

Returns:

{
  "tx_hash": "0x...",
  "simulation_report": {
    "success": true,
    "gas_estimate": "142331"
  },
  "risk_score": 24,
  "risk_flags": ["HIGH_GAS"],
  "status": "broadcast"
}

Safety notes:

  • Never sign when simulation fails.
  • Never bypass confirmation for high-risk score.

Example:

{
  "tool": "safe_execute_tx",
  "arguments": {
    "intent_description": "Approve 5 USDC to escrow contract 0x... on Base Sepolia"
  }
}

safe_listen_for_hire

Purpose: Start local HTTP receiver for inbound paid tasks.

Parameters:

  • none

Returns:

{
  "status": "listening",
  "message": "Agent ... is now accepting hire requests ...",
  "tasks_processed": 0,
  "endpoint": "http://127.0.0.1:8787/task"
}

Safety notes:

  • Verifies payment receipt before executing work.
  • Rejects malformed session IDs and invalid amount values.
  • Uses bounded concurrency and body size limits.

Example:

{
  "tool": "safe_listen_for_hire",
  "arguments": {}
}

Additional Tools

  • safe_hire_agents_batch: batch hires with bounded concurrency and failure policy
  • safe_register_as_service: publish capabilities/policy to registry
  • verify_task_proof: validate proof locally and optionally against escrow record
  • get_agent_reputation: fetch and evaluate target reputation profile
  • generate_agent_card: produce JSON and markdown profile artifacts
  • checkpoint_memory: encrypted memory checkpoint + Merkle anchoring
  • agent_analytics_summary: period metrics and operations summary

One-Click Setup

  1. Install and configure env:
npm install
npm run setup
  1. Build and start MCP server:
npm run build
npm start
  1. First call from host:
{
  "tool": "setup_agentic_wallet",
  "arguments": { "provider": "auto" }
}

Security-Focused Examples

Example: Safe hire with deterministic idempotency

await agent.call("safe_hire_agent", {
  target_id: "0xabc123...",
  task_description: "Analyze the staking contract for reentrancy and auth flaws.",
  payment_model: "per_request",
  rate: 0.08,
  idempotency_key: "audit-staking-v1-2026-03-05"
});

Example: Escalation flow for high-risk tx

const firstTry = await agent.call("safe_execute_tx", {
  intent_description: "Upgrade proxy at 0x... to implementation 0x..."
});

// If approval required, call again:
await agent.call("safe_execute_tx", {
  intent_description: "Upgrade proxy at 0x... to implementation 0x...",
  confirmed: true
});

Key TypeScript Skeletons

setup_agentic_wallet

export async function setup_agentic_wallet(rawInput: unknown) {
  const input = validateInput(WalletSchema, rawInput);
  const wallet = await getMPCWalletClient(resolveProvider(input.provider));
  const [eth, usdc, chainId] = await Promise.all([
    publicClient.getBalance({ address: wallet.address }),
    getUSDCBalance(wallet.address, resolveNetwork()),
    publicClient.getChainId()
  ]);

  return formatWalletReady(wallet, eth, usdc, chainId);
}

safe_hire_agent

export async function safe_hire_agent(rawInput: unknown): Promise<HireResult> {
  const input = validateInput(HireSchema, rawInput);
  const key = deriveOrUseIdempotencyKey(input);
  await acquireIdempotencyLock(key);

  try {
    const rep = await assertReputation(input.target_id);
    const commitment = computeProofCommitment(session.id, input.target_id);
    const escrow = await depositEscrow(...);
    const payment = await sendX402Payment(...);
    const task = await deliverTaskToAgentStrict(...);

    if (!verifyProof(task.proof_hash, session.id, input.target_id)) {
      await refundEscrow(escrow.escrowId);
      throw new ProofVerificationError(task.proof_hash);
    }

    await releaseEscrow(escrow.escrowId, task.proof_hash);
    await markIdempotencyCompleted(key);
    return buildHireResult("completed", ...);
  } catch (e) {
    await attemptRefundIfNeeded();
    throw e;
  } finally {
    await releaseIdempotencyLock(key);
    await destroySession(session.id);
  }
}

safe_execute_tx

export async function safe_execute_tx(rawInput: unknown): Promise<ExecuteTxResult> {
  const input = validateInput(ExecuteTxSchema, rawInput);
  const parsed = await intentToTransaction(input.intent_description);
  const simulation = await simulateTx(parsed);

  if (!simulation.success) return simulationFailed(simulation);

  const { score, flags } = await scoreRisk(simulation);
  enforceApprovalGate(score, flags, input.confirmed, simulation);

  const wallet = await getMPCWalletClient();
  const txHash = await wallet.sendTransaction(toTxRequest(parsed, simulation));
  return buildExecuteResult(txHash, simulation, score, flags);
}

safe_listen_for_hire

export async function safe_listen_for_hire(): Promise<ListenResult> {
  const server = await startTaskServer(getConfig().TASK_SERVER_PORT);
  return {
    status: "listening",
    message: `Register capability endpoint:${server.address}/task`,
    tasks_processed: 0,
    endpoint: `${server.address}/task`
  };
}

Recommended New Tools (Next Iteration)

  • safe_verify_attestation
    • verify TEE quotes and zkML proofs against approved verifier sets
  • safe_challenge_settlement
    • submit challenge evidence for disputed task proofs
  • safe_rate_limit_admin
    • runtime quotas and payer-level controls

Recommended Config Additions

  • SAFE_ENDPOINT_ALLOWLIST: allowed destination domains for outbound A2A calls
  • MAX_INBOUND_AMOUNT_ATOMIC_USDC: hard cap on inbound job value
  • IDEMPOTENCY_COMPLETED_TTL_MS: terminal dedupe window
  • SIWX_REQUIRED: require SIWx signature binding for paid task requests
  • ENABLE_OPAQUE_ENVELOPE: encrypted A2A payload mode

Security Disclosure

  • Required environment variables: ANTHROPIC_API_KEY (LLM), BASE_RPC_URL, and one of Privy (PRIVY_APP_ID + PRIVY_APP_SECRET) or Coinbase CDP (COINBASE_CDP_API_KEY_NAME + COINBASE_CDP_API_KEY_PRIVATE_KEY) for MPC wallet signing. Full list in .env.example and _meta.json.
  • DEPLOYER_PRIVATE_KEY: Used once by scripts/deploy-contracts.ts for initial on-chain contract deployment only. Not loaded at MCP runtime. Use a throwaway funded key; discard after deployment.
  • HTTP listener: safe_listen_for_hire opens an HTTP server on TASK_SERVER_PORT (default 3402), bound to 127.0.0.1 unless explicitly reconfigured.
  • File writes: scripts/deploy-contracts.ts writes deployed contract addresses back to .env. scripts/generate-env.ts creates .env interactively. Neither runs automatically on MCP startup.
  • External CLI (forge): Used by scripts/deploy-contracts.ts for one-time Solidity contract compilation and deployment only. Not required or invoked at MCP runtime.
  • Test files: tests/stress/ contains literal prompt-injection strings (e.g. Ignore all previous instructions) as adversarial test fixtures that verify the input-gate blocks them. These are not instructions to any agent.

Changelog

  • v0.1.1 (2026-03-05)

    • added _meta.json with full required env vars, binaries, runtime behavior, and security disclosure for registry scanners
    • added clarifying headers to stress test files to prevent false-positive prompt-injection scanner alerts
    • upgraded x402 to ^1.1.0 (fixes GHSA-3j63-5h8p-gf7c)

  • v0.1.0 (2026-03-05)

    • initial public release
    • strict endpoint DNS/IP validation for outbound task delivery
    • HMAC-signed inbound task auth with nonce replay lock and SIWx hook
    • completion-state idempotency protection blocks post-completion duplicates
    • /.well-known/agent-card.json HTTP endpoint
    • 128 unit tests, zero TypeScript errors, CI coverage gates enforced

Roadmap

  1. Complete x402 v2 alignment
  • SIWx auth binding
  • batch payment primitive
  • optional sponsored gas support
  1. ERC-8004 tiered verification
  • tier metadata (basic, tee_attested, zkml_attested, stake_secured)
  • verifier registries and revocation handling
  1. Cryptoeconomic reputation hardening
  • Sybil graph scoring
  • challenge/slash dispute mechanisms
  1. Opaque A2A execution
  • encrypted task/result envelopes
  • selective metadata disclosure
  1. Production SRE posture
  • adaptive rate limits
  • weighted queues
  • audit log export and incident hooks

Comments

Loading comments...