ROZO Intents Pay & Bridge
v1.0.2Cross-chain crypto payments and bridging via Rozo. Send USDC/USDT across Ethereum, Base, BNB Chain, Solana, and Stellar. Use when user says "pay", "send", "t...
⭐ 1· 83·0 current·0 all-time
byShawn Muggle@shawnmuggle
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included scripts and SKILL.md: parsing QR URIs, checking balances, Stellar trustline checks, creating and fetching payments via Rozo APIs. Required capabilities (Node, network access to Rozo endpoints and Horizon) are appropriate for a payment/bridge skill. No unrelated credentials, binaries, or system paths are requested.
Instruction Scope
SKILL.md instructs the agent to parse QR content (agent must decode images), run the provided node scripts, fetch balances, get fees, and confirm before sending. All actions are scoped to payment flows. The instructions do not tell the agent to read arbitrary system files, exfiltrate environment variables, or contact unexpected third‑party endpoints beyond the Rozo and Stellar APIs noted in the documentation.
Install Mechanism
There is no install spec — this is instruction‑only at install time. The repo contains JS/TS scripts that are intended to be run with Node (scripts/dist/*.js). No downloads from untrusted URLs or archive extraction are present in the skill metadata. Runtime requires Node.js to execute local scripts.
Credentials
The skill declares no required env vars or credentials and uses public, unauthenticated Rozo endpoints and the Stellar Horizon API. Tests in the repo reference a local .env.dev file (scripts/tests/fixtures.ts) — this is for development/testing only and is not required at runtime, but if you run tests you should inspect that file for secrets. No credentials are requested by the runtime instructions.
Persistence & Privilege
Skill is not marked always:true and does not request persistent system modification. disable-model-invocation is the default (agent may invoke autonomously), which is expected for skills. The skill does not modify other skills or global agent settings.
Assessment
This skill appears coherent for cross‑chain USDC/USDT payments: it runs local Node scripts and calls Rozo APIs and Stellar Horizon. Before installing, consider: (1) the skill requires Node.js and permission to run the local scripts — only allow it in a trusted environment; (2) it will ask you for wallet addresses and may instruct you to invoke wallet transactions, but it does not request private keys or API keys — never provide private keys; (3) if you plan to send real funds, test with a very small amount first and verify the token contract addresses and destination addresses shown in confirmations; (4) the repo includes test code that reads a .env.dev file for development — inspect any local env files you provide for secrets; (5) verify the external hosts (intentapiv4.rozo.ai, api-balance.rozo-deeplink.workers.dev, horizon.stellar.org) are legitimate for your use. If you need more assurance, run the scripts in a sandbox and review network requests (or have a developer inspect code) before enabling autonomous invocation.Like a lobster shell, security has layers — review code before you run it.
latestvk97dg24r86p1303vxewct2kbwn84deap
License
MIT-0
Free to use, modify, and redistribute. No attribution required.