Elsa x402 API

This skill appears to implement what it claims (pay-per-call x402 payments + Elsa API access), but it requires you to provide a raw private key (PAYMENT_PRIVATE_KEY) that the code will use to sign payment messages and (if execution enabled) may sign transactions. Before installing: - Only use a dedicated payment wallet seeded with a small USDC balance (minimal funds). Do not put funds you cannot afford to lose into the PAYMENT_PRIVATE_KEY wallet. Consider using a separate TRADE_PRIVATE_KEY wallet for actual swaps. - Avoid storing high-value private keys in plaintext files. If you must place the key in ~/.openclaw/openclaw.json, ensure that file is permission-restricted, encrypted, or managed via a secure secret store. Prefer hardware-backed signing or ephemeral keys if supported. - Verify provenance: the registry metadata lists no homepage and the source is unknown. Inspect the repository (github.com/HeyElsa/elsa-openclaw referenced in docs) and vet the x402-axios dependency and other npm packages for supply-chain risk before running npm install. - Review the included code (especially scripts/x402Client.ts, scripts/index.ts, and utilities that write logs) to ensure audit logs and any local files are written to safe locations (ELSA_AUDIT_LOG_PATH) and that no unexpected remote endpoints are contacted beyond the documented Elsa API endpoints (x402.heyelsa.ai / x402-api.heyelsa.ai). - When enabling execution (ELSA_ENABLE_EXECUTION_TOOLS=true), require an explicit human verification step and confirm the confirmation token logic is enforced in your deployment. Because the skill asks for a very sensitive secret and the registry entry lacks clear provenance, treat it as suspicious until you confirm the code and origin and apply operational protections.