payrail402
v1.0.2Cross-rail spend tracking for AI agents — Visa IC, Mastercard Agent Pay, Stripe ACP, x402, and ACH in one dashboard.
⭐ 0· 499·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (agent spend tracking across payment rails) aligns with the declared env vars (webhook token, API key, agent ID) and the tools provided (track, register, status). Requested credentials map to the described auth flows (webhook token for single-agent ingest; API key + agent ID for multi-agent/status).
Instruction Scope
SKILL.md and openclaw-skill.js instruct only HTTP requests to the service endpoint and tool calls for tracking/registration/status. The instructions do not ask the agent to read files, execute shell commands, or access other unrelated environment variables or system state. The code only constructs JSON HTTP requests and returns responses.
Install Mechanism
There is no install spec (instruction-only skill with a single JS file). Nothing in the package pulls arbitrary executables or downloads code at install time. The skill relies on runtime HTTP calls only.
Credentials
The three required env vars are proportionate: a per-agent webhook token (primary credential) or an API key + agent ID for multi-agent setups. The agentId is documented as a non-secret identifier. No unrelated secrets or broad cloud credentials are requested.
Persistence & Privilege
The skill is not marked always:true and does not modify other skills or system-wide settings. It asks for no persistent system-level privileges beyond normal skill configuration.
Assessment
This skill appears coherent and limited to reporting agent transactions to the PayRail402 API. Before installing: 1) Verify you trust the service endpoint (the code defaults to a railway.app host while README refers to payrail402.com); confirm the TLS certificate and operator. 2) Use the least-privilege credentials: prefer a per-agent webhook token for single agents, and create scoped API keys for multi-agent setups. 3) Avoid sending sensitive payment data (full card numbers, unmasked PII) in the description or metadata — only send the minimal transaction fields required. 4) Rotate keys/tokens regularly and limit webhook token reuse across agents. 5) If you need stronger assurance, contact the operator or verify the npm SDK / homepage references exist (the README references an npm package and docs) and audit the remote API behavior on a test account before giving production tokens.Like a lobster shell, security has layers — review code before you run it.
agent-treasuryvk978p2erjx7sd0qsnjv200dxrh81ke67ai-agents payments transaction-tracking fintech x402 visa mastercard stripe ach budget-enforcement anomaly-detection spend-management agent-economy cross-rail reconciliationvk97fjhw9e9jknya6dy3c112hns81v9neapivk978p2erjx7sd0qsnjv200dxrh81ke67basevk978p2erjx7sd0qsnjv200dxrh81ke67budgetvk978p2erjx7sd0qsnjv200dxrh81ke67cryptovk978p2erjx7sd0qsnjv200dxrh81ke67ethereumvk978p2erjx7sd0qsnjv200dxrh81ke67fundingvk978p2erjx7sd0qsnjv200dxrh81ke67latestvk97fjhw9e9jknya6dy3c112hns81v9nemicropaymentsvk978p2erjx7sd0qsnjv200dxrh81ke67paymentsvk978p2erjx7sd0qsnjv200dxrh81ke67stripevk978p2erjx7sd0qsnjv200dxrh81ke67usdcvk978p2erjx7sd0qsnjv200dxrh81ke67walletvk978p2erjx7sd0qsnjv200dxrh81ke67x402vk978p2erjx7sd0qsnjv200dxrh81ke67
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⚡ Clawdis
EnvPAYRAIL402_WEBHOOK_TOKEN, PAYRAIL402_API_KEY, PAYRAIL402_AGENT_ID
Primary envPAYRAIL402_WEBHOOK_TOKEN