Agent Payment Protocol
v0.1.0Facilitate secure agent-to-agent payments via Solana on-chain transactions with quote creation, approval, payment recording, and audit logging in IRC channels.
⭐ 1· 1.6k·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
The SKILL.md and index.js both implement the same functionality: create quotes, approve payments, record confirmed Solana transactions, and maintain local JSONL ledgers. The package.json dependency (@solana/web3.js) is consistent with Solana integration. The skill does not request unrelated credentials or access.
Instruction Scope
The runtime instructions focus on quoting, approving, calling an external solana-transfer skill to send SOL, and local ledger maintenance. They do not instruct the agent to read arbitrary system files or exfiltrate data. The SKILL.md references workspace paths and shows explicit steps (npm install, import functions) that stay within the payment protocol scope.
Install Mechanism
There is no platform install spec, but SKILL.md instructs running npm install in the skill folder, which will fetch @solana/web3.js from the public npm registry. This is a standard package install (moderate trust). There are no direct downloads from unknown hosts or extract-from-URL steps.
Credentials
The skill declares no required environment variables or credentials and does not attempt to access secrets. It requires wallet addresses (payer/recipient) at runtime but does not request private keys; sending SOL is delegated to a separate solana-transfer skill (which is where signing/keys would be handled).
Persistence & Privilege
The skill persists data in local files (quotes.jsonl and payments.jsonl) within its own directory (uses __dirname). It does not request permanent platform-wide presence, does not set always:true, and does not modify other skills' configs.
Assessment
This skill appears coherent and implements a local quoting/payment ledger that delegates actual SOL transfers to a separate solana-transfer skill. Before installing: 1) Confirm how the solana-transfer skill stores and protects signing keys — this skill does not hold private keys and relies on the transfer skill to perform signed transactions. 2) Audit the @solana/web3.js dependency (npm will be invoked) in a secure environment to avoid supply-chain risk. 3) Be aware that payments require explicit approval calls (approvePayment) that specify the target wallet; treat incoming IRC quotes as untrusted until you verify the quoted recipient wallet to avoid social-engineering payments to a malicious address. 4) Note that quotes and payments are stored in append-only JSONL files under the skill directory — protect file permissions if ledger confidentiality is a concern. If you want stronger guarantees (signed on-chain receipts, replay protection, multi-signature approvals), consider reviewing/enhancing the workflow or the solana-transfer integration.Like a lobster shell, security has layers — review code before you run it.
latestvk97c25g3tv81ktxveyxgqp97ss80f2fs
License
MIT-0
Free to use, modify, and redistribute. No attribution required.