ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Payclaw

Agent-to-Agent USDC payments. Create wallets, send/receive payments, escrow between agents. Built for the USDC Hackathon on Moltbook.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 814 · 0 current installs · 0 all-time installs
by@rojasjuniore
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The code implements a CLI that delegates work to an external 'circle-wallet' command and stores a Circle API key in ~/.openclaw/payclaw/config.json. However, the skill metadata declares no required binaries, no credentials, and no config paths — those are required in practice. Also the SKILL.md suggests importing a PayClaw class from 'payclaw' for programmatic agent integration, but the distributed code is only a CLI (no exported library API). These mismatches mean the declared purpose is plausible but the manifest omits key requirements and the integration example is inaccurate.
!
Instruction Scope
The runtime instructions and code tell the agent/user to: install/build/link the package, run 'payclaw setup --api-key YOUR_CIRCLE_API_KEY' (so an API key is required), create wallets, register agents, and run payments. The implementation executes shell commands via execSync(`circle-wallet ${cmd}`) with user-provided inputs (addresses, amounts, arbitrary command fragments) and writes/reads files under ~/.openclaw/payclaw (config.json, escrows.json, agents.json, history.json). There is no input sanitization for values interpolated into the shell call, creating command‑injection risk. The SKILL.md and package manifest do not declare the required HOME config path access or the need for the external 'circle-wallet' binary.
Install Mechanism
There is no remote download/install spec in the registry (the skill is instruction-only), but the package includes full source and a built CLI. Install instructions in SKILL.md use npm install && npm run build && npm link — a typical local install that will place files on disk. No suspicious external URLs or archives are used in the install flow.
!
Credentials
The skill does require a Circle API key (SKILL.md shows payclaw setup --api-key) but the registry metadata lists no required environment variables or primary credential. The code instead persists the API key to ~/.openclaw/payclaw/config.json (file mode 600 is applied). The skill also relies on a 'circle-wallet' binary (not declared). The absence of declared credentials/binaries in the metadata is a coherence issue and could mislead users about what sensitive values the skill needs.
Persistence & Privilege
The skill writes its own config and data into ~/.openclaw/payclaw and does not request always:true or other elevated privileges. It does not modify other skills' configurations. Autonomous invocation is allowed by platform default, which is expected; no additional persistence privileges are requested.
What to consider before installing
This skill is a CLI wrapper around an external 'circle-wallet' tool and expects you to provide a Circle API key (it stores that key in ~/.openclaw/payclaw/config.json). Before installing: (1) verify you trust the author/repository (the registry metadata lacks a homepage but SKILL.md points to a GitHub repo); (2) ensure you intend to install and run the external 'circle-wallet' binary that this code invokes; (3) be aware the CLI constructs shell commands by interpolating user-supplied values into execSync(`circle-wallet ${cmd}`) — inputs are not sanitized, so malicious or malformed addresses/arguments could cause command injection on your machine; (4) note the SKILL.md shows a programmatic import (PayClaw class) that is not present in the provided code — the only delivered artifact is a CLI; (5) if you proceed, consider running it in a restricted environment (container/VM) and inspect or modify the code to sanitize inputs (avoid passing raw user strings into shell commands) and confirm where the Circle key is stored and that it's acceptable to you. If you don't trust the source or cannot verify the external 'circle-wallet' binary, treat this skill as risky.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk978s05hfehxamg303jkmqvhgn80sfe2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💸 Clawdis

SKILL.md

PayClaw 💸

Agent-to-Agent USDC Payments for OpenClaw.

Built for the USDC Hackathon on Moltbook.

What It Does

PayClaw enables any OpenClaw agent to:

  • 🏦 Create a USDC wallet (Circle Developer-Controlled Wallets)
  • 💰 Receive payments from other agents or humans
  • 💸 Send payments to any wallet address
  • 🤝 Escrow funds between agents for trustless transactions
  • 🔗 Works on Arc Testnet (USDC native L1)

Why It Matters

Agents need money to work.

Today, if your agent needs to:

  • Pay for an API call
  • Hire another agent
  • Receive payment for a task
  • Hold funds in escrow for a deal

...there's no easy way to do it. PayClaw solves this.

Installation

clawhub install payclaw
cd ~/.openclaw/skills/payclaw
npm install && npm run build && npm link

Setup

# Configure with Circle API key
payclaw setup --api-key YOUR_CIRCLE_API_KEY

# Create your agent's wallet
payclaw wallet create "MyAgent"

# Get testnet USDC
payclaw faucet

Commands

Wallet Management

payclaw wallet create [name]     # Create new wallet
payclaw wallet list              # List all wallets
payclaw wallet balance           # Check balance
payclaw wallet address           # Show wallet address

Payments

payclaw pay <address> <amount>   # Send USDC
payclaw request <amount> [memo]  # Generate payment request
payclaw history                  # Transaction history

Escrow (Agent-to-Agent)

payclaw escrow create <amount> <recipient> [--condition "task completed"]
payclaw escrow list              # List active escrows
payclaw escrow release <id>      # Release funds to recipient
payclaw escrow refund <id>       # Refund to sender

Agent Discovery

payclaw agents list              # List agents with PayClaw wallets
payclaw agents find <name>       # Find agent's wallet address
payclaw agents register          # Register your agent in directory

Usage Examples

Pay Another Agent

# Find agent's wallet
payclaw agents find "DataBot"
# Output: 0x1234...5678

# Send payment
payclaw pay 0x1234...5678 10 --memo "For data analysis task"
# Output: ✅ Sent 10 USDC to DataBot (0x1234...)
#         TX: 0xabc...def

Create Escrow for Task

# Client creates escrow
payclaw escrow create 50 0xFreelancerWallet --condition "Deliver logo design"
# Output: 🔒 Escrow created: ESC-001
#         Amount: 50 USDC
#         Recipient: 0xFreelancer...
#         Condition: Deliver logo design

# After task completion, client releases
payclaw escrow release ESC-001
# Output: ✅ Released 50 USDC to 0xFreelancer...

Receive Payment

# Generate payment request
payclaw request 25 --memo "API access for 1 month"
# Output: 💰 Payment Request
#         To: 0xYourWallet...
#         Amount: 25 USDC
#         Memo: API access for 1 month
#         
#         Share this with payer:
#         payclaw pay 0xYourWallet 25 --memo "API access for 1 month"

Agent Integration

// In your OpenClaw skill
import { PayClaw } from 'payclaw';

const payclaw = new PayClaw();

// Check if payment received
const balance = await payclaw.getBalance();

// Send payment
await payclaw.send('0x...', 10, 'For task completion');

// Create escrow
const escrow = await payclaw.createEscrow(50, '0x...', 'Task condition');

Supported Chains

  • Arc Testnet (default) - Circle's native USDC L1
  • Base Sepolia
  • Polygon Amoy
  • Ethereum Sepolia

Security

  • Private keys never leave Circle's infrastructure
  • Gas-free transactions via Circle Gas Station
  • Testnet only for hackathon (no real funds)

Architecture

┌─────────────────┐     ┌─────────────────┐
│  OpenClaw Agent │────▶│    PayClaw      │
└─────────────────┘     └────────┬────────┘
                                 │
                                 ▼
                        ┌─────────────────┐
                        │  Circle Wallets │
                        │    (Testnet)    │
                        └────────┬────────┘
                                 │
                                 ▼
                        ┌─────────────────┐
                        │   Arc Testnet   │
                        │     (USDC)      │
                        └─────────────────┘

Hackathon Track

Best OpenClaw Skill - This skill extends OpenClaw agents with native USDC payment capabilities, enabling a new paradigm of agent-to-agent commerce.

Links

License

MIT

Built for the OpenClaw USDC Hackathon on Moltbook 💵

Files

7 total
Select a file
Select a file to preview.

Comments

Loading comments…