ClawHub

Nevermined Payments

v0.1.0

Integrates Nevermined payment infrastructure into AI agents, MCP servers, Google A2A agents, and REST APIs. Handles x402 protocol, credit billing, payment plans, and SDK integration for TypeScript (@nevermined-io/payments) and Python (payments-py).

3· 726·0 current·0 all-time
by@aaitor
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and SKILL.md consistently describe Nevermined payment integration (x402, credit billing, SDK usage) and the referenced env vars (NVM_API_KEY, NVM_PLAN_ID, etc.) make sense for that purpose. However, registry metadata lists no required environment variables or primary credential, which contradicts the runtime instructions that explicitly require API keys, plan IDs, and wallet addresses.
Instruction Scope
SKILL.md and the reference docs stay focused on integrating the x402 payment flow and show framework-specific middleware and client flows. The instructions ask the runtime to read environment variables (NVM_API_KEY, NVM_PLAN_ID, NVM_AGENT_ID, BUILDER_ADDRESS) and to call Nevermined facilitator APIs — these actions are coherent with the described purpose. There are example snippets that include unrelated example variables (e.g., OPENAI_API_KEY) for demonstration; that is not intrinsically malicious but is extra surface to review.
Install Mechanism
This is an instruction-only skill with no install spec and no bundled code. It instructs the user to install official-looking SDKs from npm or PyPI (@nevermined-io/payments and payments-py). Because the skill doesn't download arbitrary archives itself, install risk is low — but you should still verify the SDK packages on the registries before installation.
!
Credentials
The runtime docs require sensitive values (NVM_API_KEY, NVM_PLAN_ID, NVM_AGENT_ID, BUILDER_ADDRESS) that grant payment and registration authority; those are appropriate for a payments integration but the skill registry metadata does not declare them, creating a mismatch. Examples also reference OPENAI_API_KEY in sample integrations which is unrelated to payments — handing that key to code or middleware should be considered carefully. Require/no-declare mismatch and multiple sensitive env examples raise concern about transparency.
Persistence & Privilege
The skill does not request 'always: true' or system-wide modification privileges. It is user-invocable and allows normal autonomous invocation (platform default). Nothing in the docs indicates the skill will modify other skills' configs or demand permanent agent-wide installation.
What to consider before installing
What to consider before installing: - Metadata mismatch: the registry shows no required env vars, but SKILL.md clearly expects NVM_API_KEY, NVM_ENVIRONMENT, NVM_PLAN_ID, and sometimes NVM_AGENT_ID/BUILDER_ADDRESS. Treat that as a red flag — confirm with the skill author or the package source why metadata omits these. - Verify origin: there is no homepage and the source is 'unknown'. Find the official package repositories on npm/PyPI and the Nevermined organization pages (or ask the publisher for a source URL) before installing any SDKs or running sample code. - Least privilege for keys: if you proceed, use sandbox/test API keys, give minimal permissions to any builder wallet address, and avoid using production keys (or OpenAI keys) in examples until you trust the code. Rotate keys after testing. - Inspect SDKs: because this skill is instruction-only, the actual behavior will come from external SDKs (@nevermined-io/payments, payments-py). Manually review those packages on their registries (and their source code) before installing. - Logging and secrecy: do not expose full tokens in logs; the docs advise hashing tokens — follow that. Run integrations in isolated/test environments first and monitor network calls and logs for unexpected endpoints. What would increase confidence: a verified source/homepage or repository, matching registry metadata that declares the required env vars, or a signed package release. If you can provide the SDK package links or the author's repository, I can re-evaluate with higher confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk977mc07s67e67gxgczh520wvd813ght

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments