my-pay

v1.0.1

A payment skill powered by mypay-bot CLI. Use this skill whenever the user wants to pay, make a payment, purchase something, buy items, checkout, transfer mo...

⭐ 0· 63·0 current·0 all-time

by@xhc1111

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for xhc1111/my-pay.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "my-pay" (xhc1111/my-pay) from ClawHub.
Skill page: https://clawhub.ai/xhc1111/my-pay
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install my-pay

ClawHub CLI

Package manager switcher

npx clawhub@latest install my-pay

Security Scan

Capability signals

CryptoRequires walletCan make purchasesCan sign transactionsRequires sensitive credentials

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The SKILL.md and included Python checker align with a mypay-bot CLI integration: requiring node/npm, python3, and two MyPay credentials is reasonable for this payment skill. However, the registry metadata at the top of the package lists no required env vars or binaries, which contradicts the documented runtime requirements — this metadata mismatch is an incoherence that should be resolved before trusting automatic installation or credential configuration.

Instruction Scope

The instructions tell the agent to run included commands (the Python checker and mypay-bot CLI) and to strictly preserve URLs and images "character for character," explicitly including query parameters and tokens. That instruction could lead to sensitive tokens being shown or copied exactly as-is; while it may be required for payment links, it increases the risk of accidental exposure or exfiltration if the agent is allowed to transmit outputs elsewhere. The instructions also say to "cache the summary" without specifying where or how, leaving storage and retention ambiguous.

ℹ

Install Mechanism

There is no automatic install spec — the included scripts are a dependency checker only and do not modify the system or run npm install. The Python script does call shell commands via subprocess.run(..., shell=True) to run npm list; this is expected for a checker but is worth noting because it executes shell commands. Overall install risk is low because installs are manual per the instructions.

ℹ

Credentials

The skill requires two sensitive credentials in SKILL.md (MYPAY_API_KEY and MYPAY_WALLET_SECRET), which are proportionate for a payment/wallet integration. The problem is the package's registry metadata did not declare these required environment variables — that mismatch is a red flag because users (and automated permission UIs) may not be prompted for the secrets the skill actually needs.

✓

Persistence & Privilege

The skill does not request persistent system presence (always:false), does not modify other skills or system-wide config, and explicitly instructs users to run installs manually. No elevated persistence or unusual privileges are requested.

What to consider before installing

This skill mostly looks like a straightforward wrapper around an npm CLI, but two issues merit caution: (1) the SKILL.md requires sensitive env vars (MYPAY_API_KEY and MYPAY_WALLET_SECRET) and node/npm/python3, yet the registry metadata omits those requirements — treat that as an inconsistency and do not provide secrets until you confirm the publisher and necessity; (2) the skill instructs the agent to display and preserve payment URLs and tokens exactly, which can reveal secrets if outputs are forwarded or logged. Before installing or enabling: verify the mypay-bot npm package and its publisher (check npmjs.org and package source), confirm the skill publisher identity, ensure you only provide credentials to a trusted publisher, restrict where the agent can send outputs (don’t allow automatic external posting), and consider running the included Python checker yourself to confirm it only reports status (it appears to). If you cannot confirm the mypay-bot package provenance and the skill publisher, treat the missing metadata and the instruction to surface raw tokens as an unacceptable risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk974bengba7e23v6mv65ntanws852sjd

63downloads

0stars

2versions

Updated 1w ago

v1.0.1

MIT-0

MyPay - Payment Skill

This skill handles payment workflows using the mypay-bot CLI tool.

System Requirements

python3: Required to run the dependency checker script
node / npm: Required to install and run the mypay-bot CLI globally
mypay-bot: The CLI binary itself — must be installed manually by the user (see Prerequisites below)

Authentication

mypay-bot requires two credentials to operate. These must be configured before the first payment:

MYPAY_API_KEY — API key from your MyPay dashboard, used for authenticating all requests.
MYPAY_WALLET_SECRET — Wallet signing secret, generated during mypay-bot init setup.

If credentials are missing or invalid, mypay-bot commands will fail with an auth error. When that happens, instruct the user to run mypay-bot init to configure credentials interactively, or to set the environment variables MYPAY_API_KEY and MYPAY_WALLET_SECRET.

Prerequisites Check (MUST run first)

Before doing anything else, run the dependency checker script:

python3 "{{SKILL_DIR}}/scripts/install_mypay.py"

This script only checks — it does not install or modify anything on the system. It verifies:

Whether mypay-bot is installed globally
Whether the installed version matches the pinned version (1.0.0)

Exit codes:

0 — Ready to proceed.
1 — mypay-bot is not installed. Stop the workflow, show the user the install command printed by the script, and ask them to run it manually. Do NOT run npm install yourself.
2 — Installed but version mismatch. Inform the user an update is available and show the command. The workflow may proceed with the current version at the user's discretion.

The script never runs npm install or modifies global packages. Installation and updates are the user's responsibility — this avoids executing unverified code automatically.

Payment Workflow

Follow these steps in order. Do NOT skip any step.

Step 0: Capture Payment Intent

First, summarize the payment/purchase intent from the current conversation:

mypay-bot payment-intent

Review the output carefully. Then cache the summary:

mypay-bot payment-intent --summary

Step 1: Check Wallet Status

Verify the user's wallet is ready:

mypay-bot check-wallet

Review the wallet status output. If there are any issues (insufficient funds, locked wallet, etc.), inform the user before proceeding.

Step 2: Submit Payment

Execute the payment using the payment link from the previous steps:

mypay-bot submit-payment --payment-link "<payment_link>"

Replace <payment_link> with the actual payment link obtained from the workflow.

Critical Rules

Preserve all links and images exactly: Every URL, link, and image reference that appears in the output of any mypay-bot command MUST be copied in full — character for character, with no truncation, no summarization, no reformatting. This includes query parameters, tokens, hashes, and any other URL components. Display them to the user exactly as received.
Follow the step order strictly: Step 0 -> Step 1 -> Step 2. Do not skip or reorder.
Always run the prerequisite checker first: Before each skill invocation, run the Python checker to verify mypay-bot is present. Never run npm install automatically — if the check fails, inform the user and let them install manually.

Comments

Loading comments...