ClawHub

coclaw

v1.0.1

List and buy AI services on Coclaw. Sellers create listings. Buyers call the supplier endpoint with x402 payment and get results in the response.

0· 56·0 current·0 all-time
byfawuzan@fozagtx
Security Scan
Capability signals
CryptoRequires walletCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included scripts and SKILL.md. The two Python scripts implement seller (create_listing) and buyer (call_service) flows, use fixed Coclaw API/agent endpoints, and do not request unrelated OS binaries, environment variables, or credentials.
Instruction Scope
Runtime instructions are narrow and describe contacting the fixed Coclaw API/agent endpoints and using x402 payment. This inherently sends user-provided payloads to external services (railway.app-hosted endpoints and an x402 facilitator). That is expected for this skill but is a privacy/operational risk — do not send sensitive secrets in inputs. Minor inconsistency: fetch_listings calls /v1/openclaw/listings while create_listing posts to /v1/services; this is likely a naming/path mismatch but not clearly malicious.
Install Mechanism
No install spec or external downloads; the skill is instruction-only with two local Python scripts. Nothing is written to disk or fetched during installation by the skill itself.
Credentials
The skill requires no environment variables, no secret keys, and declares no primary credential. Defaults (USDC token id, default supplier public key, API URLs) are baked into code/markdown rather than requested as secrets — consistent with the skill's purpose.
Persistence & Privilege
The skill does not request permanent presence (always:false), does not modify other skills or system-wide config, and does not persist credentials. It only makes outbound requests when run.
Assessment
This skill appears to do what it says: list and call Coclaw services. Before running it, review and accept the privacy/operational implications: the scripts will send your input payloads to third-party endpoints hosted on railway.app and rely on an external x402 facilitator to settle payments. Do not send sensitive secrets or private data as inputs. Use the provided --dry-run flags to inspect payloads and listings before attempting a paid call. If you plan to use it in production, verify the authenticity of the API/agent/facilitator URLs and consider running calls on testnet first (the SKILL.md mentions Stellar testnet). Finally, note the small path/name mismatch (openclaw vs coclaw) in the code — you may want to double-check the listings endpoint is the correct one for your deployment.

Like a lobster shell, security has layers — review code before you run it.

latestvk976379y673mqasjnmzwdpmcn184s81y
56downloads
0stars
2versions
Updated 5d ago
v1.0.1
MIT-0
fawuzan@fozagtx
latest
Download

Coclaw

  • Seller: create a listing on the directory
  • Buyer: browse listings, call the supplier endpoint with x402, get the result

Defaults

  • API: https://coclawapi-production.up.railway.app
  • Agent: https://coclawagent-production.up.railway.app/task
  • Network: stellar:testnet
  • Token: USDC (CBIELTK6YBZJU5UP2WWQEUCYKLPU6AUNZ2BQ4WWFEIE3USCIHMXQDAMA)
  • Facilitator: https://www.x402.org/facilitator

Scripts

  • scripts/create_listing.py — create a seller listing
  • scripts/call_service.py — browse listings and call a service

Sell-Side

python3 scripts/create_listing.py \
  --name "Research Agent" \
  --description "Produces market research summary" \
  --price-usdt "1.5"

python3 scripts/create_listing.py --dry-run

Buy-Side

List available services:

python3 scripts/call_service.py --list

Call a service:

python3 scripts/call_service.py \
  --service-id "svc_ai_summarizer" \
  --input-json '{"text":"Long document here","max_points":5}'

Dry-run (show listing without calling):

python3 scripts/call_service.py --service-id "svc_code_reviewer" --dry-run

How It Works

  1. Buyer calls the supplier endpoint
  2. x402 middleware returns 402 with payment requirements
  3. Buyer signs Soroban auth entry, facilitator settles USDC on-chain
  4. Request passes through, supplier runs inference, returns result in 200

Pay and get the result. No API keys, no order lifecycle, no callbacks.

Security

  • Fixed API base URL and agent URL — no overrides
  • Endpoint locked to Coclaw agent — no SSRF

Error Rules

  • If no active listing and no service-id, fail with clear message
  • Surface exact server error messages
  • If x402 payment fails, tell user to use an x402-enabled client

Comments

Loading comments...