ClawHub

Payclaw Io Pub

v0.7.1

Agents are not bots. PayClaw proves it — then lets them pay. UCP Credential Provider: Badge declares your agent as an authorized actor at any UCP-compliant m...

0· 466·0 current·0 all-time
byPayClaw, Inc.@payclawinc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match what the instructions require: the skill asks for npx and instructs the agent to run an @payclaw/mcp-server process to provide Badge and Spend functionality. Requiring npx and a Node 20 runtime is proportionate for an npm-based MCP server.
Instruction Scope
SKILL.md only instructs adding the MCP server to the agent config and calling well-scoped RPCs (payclaw_getAgentIdentity, payclaw_getCard, payclaw_reportPurchase). It does not ask the agent to read unrelated files or to exfiltrate data to unexpected endpoints beyond the declared PAYCLAW_API_URL.
Install Mechanism
No install spec is present, but the skill expects runtime use of 'npx -y @payclaw/mcp-server'. That downloads and executes package code from npm at runtime (moderate risk). This is expected for an npm-based MCP server but you should verify the npm package and publisher before trusting it.
Credentials
The skill declares no required secret environment variables. The metadata binds PAYCLAW_API_URL to the official domain which matches the service. The only implicit credential behavior is the device auth/Consent Key stored on first use; this is consistent with the described device auth flow but you should confirm where that key is persisted and how to revoke it.
Persistence & Privilege
always:false (normal). The skill will persist a Consent Key on first use (SKILL.md: 'Consent Key is stored automatically'); persisting that credential in agent storage is expected but worth reviewing — confirm storage location, lifetime, and revocation. Autonomous invocation is allowed (normal default).
Assessment
This skill appears to do what it says: it runs an MCP server (via npx) that provides identity badges and single-use cards. Before installing: (1) Verify the npm package (@payclaw/mcp-server) and its publisher (review package source, version history, and GitHub repo linked in SKILL.md); (2) Understand where the 'Consent Key' will be stored on your agent and how to revoke or delete it; (3) Be aware that npx will download and execute remote code at runtime — if you need stronger guarantees, request a vetted binary or vendor-signed release rather than running npx on-the-fly; (4) Test in a sandbox environment and use the sandbox/test money option before using with real payments.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e2sh12njem6p8jv5semgpyx82ar8r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💳 Clawdis
Binsnpx

Comments