ClawHub

Pearl

v0.0.14

Stripe for AI agents — one wallet for all paid skills. If you installed a skill that requires Pearl (check its SKILL.md), you MUST set up Pearl first: run no...

0· 146·0 current·0 all-time
bySimeon@misteeka
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (payments for AI agents) align with the code and SKILL.md. The scripts implement a one-time setup, local config storage (~/.pearl/config.json), read-only balance/transactions calls using read_token, and a run() helper that sends a limited skill_token to skill servers. Required binary 'node' is appropriate.
Instruction Scope
SKILL.md only instructs running the included node scripts (setup, balance, transactions) and npm install. It documents what is stored and what is sent to third parties. The runtime instructions do not ask the agent to access unrelated files, environment variables, or endpoints.
Install Mechanism
There is no registry install spec in the skill bundle itself, but _meta.json includes a postinstall entry and SKILL.md tells users to run npm install --prefix {baseDir}. package.json lists no external dependencies, so npm install is low risk. No downloads from unknown URLs or archive extraction are used.
Credentials
The skill requests no environment variables or external credentials. It stores tokens locally at ~/.pearl/config.json with file mode 0600. The separation of read_token (only for Pearl API) and skill_token (explicitly intended to be sent to skill provider servers) matches the documented design.
Persistence & Privilege
always is false and the skill does not request persistent platform-wide privileges. It writes only to its own directory (~/.pearl) and does not modify other skills or system-wide agent settings.
Assessment
This skill appears internally consistent with its description. Notes and suggested checks before installing: - The client stores two tokens in ~/.pearl/config.json (mode 0600). Do not share that file. The read_token is used only with pearlcash.ai; the skill_token is intentionally sent to third-party skill servers to identify your user for billing. - The worst-case misuse of a leaked skill_token (per the author) is exposure of your Pearl user ID and potentially creation of pending charges; it cannot read your balance or approve charges. However, a malicious skill server could attempt social engineering or create many pending charges, so only enable Pearl-powered skills from developers you trust. - Verify the domain https://pearlcash.ai is legitimate to you (homepage provided). If you have concerns, inspect scripts/setup.js and scripts/run.js (they are included) before running them. - npm install is suggested but package.json lists no dependencies; running npm install in the skill directory is low risk. If you prefer, inspect the files (they are small, bundled here) and run only the specific scripts you trust. - Overall: coherent and proportionate. If you need higher assurance, confirm the Pearl service, check TLS cert for pearlcash.ai, and run the setup flow only when you can observe the login on a device you control.

Like a lobster shell, security has layers — review code before you run it.

latestvk971zwt344az083js41vvy6dn583wyp4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💎 Clawdis
Binsnode

Comments