sohopay
v1.0.17Initiate payments on the SOHO Pay credit layer using EIP-712 signatures.
⭐ 2· 665·1 current·1 all-time
by@nmsteve
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description describe EIP-712 signing and on-chain payments; the code depends on ethers/dotenv and reads a PRIVATE_KEY to sign EIP-712 messages and submit transactions to Base RPC endpoints. The declared contract addresses, chainIds, and USDC asset are hardcoded, which is consistent with a payment skill.
Instruction Scope
SKILL.md and the scripts limit actions to reading the PRIVATE_KEY (via environment/.env), checking borrower profile data, signing authorizations, and submitting transactions to the configured Base RPC endpoints. The scripts do not attempt to read unrelated system files or other environment variables, nor do they post the raw private key to external services. Note: SKILL.md states the agent is intended to run autonomously, but the skill metadata (skill.json) sets autonomous:false — a minor inconsistency about intended runtime behavior.
Install Mechanism
There is no installer that downloads arbitrary archives; the project is a small Node.js package that relies on npm packages (ethers, dotenv). Installing via npm is expected for this kind of skill; npm dependencies are traceable in package-lock.json. No remote, untrusted binary downloads or URL-shorteners were observed.
Credentials
Only PRIVATE_KEY is requested and marked sensitive in skill.json, which is appropriate for a signing/payment skill. However, the top-level registry summary provided earlier stated 'Required env vars: none' — that contradicts the included skill.json which requires PRIVATE_KEY. Ensure the registry metadata accurately reflects this sensitive requirement before installing.
Persistence & Privilege
The skill does not request always:true and skill.json sets autonomous:false, so it does not gain forced permanent/autonomous invocation. It does not attempt to modify other skills or system-wide settings. The skill writes nothing outside normal npm/skill paths.
Assessment
This skill is coherent with its stated purpose, but it requires a private signing key (PRIVATE_KEY) — treat that key as extremely sensitive. Before installing: (1) only use a dedicated wallet with minimal funds that you are comfortable automating; (2) verify the hardcoded contract addresses and RPC endpoints are the intended SOHO Pay contracts for your network; (3) confirm the registry metadata is corrected to list PRIVATE_KEY as required; (4) review the scripts locally (they use dotenv and will read .env) and run them in an isolated environment or container; (5) if you do not want the agent to act without human approval, keep autonomous invocation disabled or run the scripts manually rather than enabling any autonomous behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk974yf6kc5jtfb8d1pmj4c74hx82cqpk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.