ClawHub

moneydevkit

v0.2.0

Accept payments on any website using moneydevkit. Use when building a site that sells something, adding a checkout/paywall, or integrating payments into a Ne...

2· 1.8k·0 current·0 all-time
bySatbot@satbot-mdk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description describe adding payments and the SKILL.md only asks for an API key (MDK_ACCESS_TOKEN) and a wallet seed (MDK_MNEMONIC) plus npx for CLI flows — all of which align with a payments SDK that can control a Lightning wallet. Required binaries (npx) and documented endpoints (mcp.moneydevkit.com, docs.moneydevkit.com) are appropriate for the stated purpose.
Instruction Scope
Runtime instructions focus on creating credentials, setting environment variables, and integrating the provided packages into Next.js or Replit apps. The guide does not instruct reading unrelated system files or exfiltrating data; it explicitly warns not to commit or log the mnemonic. It does reference using an MCP server and the 'claude mcp' helper to obtain credentials, which is consistent with the workflow.
Install Mechanism
This is an instruction-only skill with no install spec or code files included, which is lower risk. The docs instruct using npm/npx to install @moneydevkit packages; that is a normal, expected mechanism. Recommended additional caution: verify the npm packages and their source before running installs.
Credentials
The two requested secrets (MDK_ACCESS_TOKEN and MDK_MNEMONIC) are directly relevant: the token is an app-scoped API key and the mnemonic is documented as the wallet seed controlling funds. That makes the request proportionate to a wallet-capable payments SDK but the mnemonic is a high-privilege secret (full control of the wallet), so its request materially increases risk and needs explicit handling (testnet, dedicated wallet, hardware/managed custody, secrets manager).
Persistence & Privilege
Flags are default: always=false and model invocation is allowed (normal). The skill does not request system-wide config changes, does not attempt to modify other skills, and has no install-time persistence specified.
Assessment
This skill appears to do what it says, but it requires a wallet seed phrase (MDK_MNEMONIC), which grants full control of funds — treat it like a private key. Before installing: (1) Verify the moneydevkit npm packages and the vendor (check the npm org, GitHub repo, and HTTPS docs) rather than trusting the skill metadata alone. (2) Prefer testing on signet/testnet and with disposable wallets. (3) If possible, avoid handing a raw mnemonic to third-party hosted services; use limited-scope API keys, hardware wallets, or a separate custody solution. (4) Store secrets in a secrets manager or platform env vars (never commit to git, never paste in chat). (5) If you must use a mnemonic, isolate it to a dedicated app and be prepared to rotate/rotate API keys and regenerate a new wallet if compromised. (6) Audit any @moneydevkit package code you install locally before running it.

Like a lobster shell, security has layers — review code before you run it.

latestvk971zgxch1s7tvh722cj0mx56x81dr0e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnpx
EnvMDK_ACCESS_TOKEN, MDK_MNEMONIC

Comments