ClawHub

Agent-to-Agent Commerce: Build Autonomous B2B Transactions

v1.3.1

Agent-to-Agent Commerce: Build Autonomous B2B Transactions. Complete guide to agent-to-agent payments: escrow, performance escrow, split payments, subscripti...

0· 96·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchasesCan sign transactionsRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (agent-to-agent commerce, escrow, Stripe integration) align with the three required environment variables: GREENHELIX_API_KEY (gateway), AGENT_SIGNING_KEY (agent identity signing), and STRIPE_API_KEY (payment processing). There are no unrelated binaries, install steps, or config paths requested that would contradict the stated purpose.
Instruction Scope
The SKILL.md is a large, instruction-only guide with code examples and explicitly says it does not execute code. It references the GreenHelix sandbox (which it also claims does not require an API key) while still declaring GREENHELIX_API_KEY as required — a minor inconsistency. The instructions do not appear to direct reading or exfiltrating unrelated files or secrets beyond the declared credentials, but the guide’s examples likely demonstrate how to use those credentials for signing and payment API calls.
Install Mechanism
No install spec and no code files — lowest-risk delivery model. Nothing is downloaded or written to disk by the skill itself.
Credentials
The three required env vars are relevant to the stated function, but they are high-privilege: STRIPE_API_KEY can create/confirm payment intents, and AGENT_SIGNING_KEY is a private signing key (impersonation risk). The SKILL.md’s sandbox claim suggests a sandbox can be used without keys, so requiring live keys may be optional for full integration. Recommended to use test keys and least-privilege credentials.
Persistence & Privilege
always:false (no forced inclusion) and normal autonomous invocation settings. The skill does not request persistent system-wide changes or access to other skills’ configs.
Assessment
This is an educational, instruction-only guide that appears to be what it says: examples for agent-to-agent payments. Before using it: (1) verify the skill origin (no homepage/source provided here); (2) never paste your live Stripe secret or production signing keys into an environment used by untrusted skills — use Stripe test keys and sandbox keys first; (3) treat AGENT_SIGNING_KEY as highly sensitive (if used, keep it in a secure key manager and prefer ephemeral/test keys when following examples); (4) expect the guide’s examples to show API calls that could move money if run with live credentials — do not run examples with production keys unless you understand and trust the code and endpoints; (5) if you want to allow autonomous agents to invoke payment flows, restrict which credentials the agent can access and prefer scoped or ephemeral credentials.

Like a lobster shell, security has layers — review code before you run it.

ai-agentvk9775164csgyaxtmjr1nxwx8yx84wg7ccommercevk9775164csgyaxtmjr1nxwx8yx84wg7cescrowvk9775164csgyaxtmjr1nxwx8yx84wg7cgreenhelixvk9775164csgyaxtmjr1nxwx8yx84wg7cguidevk9775164csgyaxtmjr1nxwx8yx84wg7clatestvk9775164csgyaxtmjr1nxwx8yx84wg7cmulti-agentvk9775164csgyaxtmjr1nxwx8yx84wg7copenclawvk9775164csgyaxtmjr1nxwx8yx84wg7cpaymentsvk9775164csgyaxtmjr1nxwx8yx84wg7c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvGREENHELIX_API_KEY, AGENT_SIGNING_KEY, STRIPE_API_KEY
Primary envGREENHELIX_API_KEY

Comments