ClawHub

TruCheq Protocol

v1.0.0

Interact with TruCheq P2P commerce protocol - browse verified marketplace listings, chat with sellers via XMTP, pay via x402 on Base

0· 31·0 current·0 all-time
byVlad@vduda
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill describes marketplace browsing, XMTP messaging, and x402 payments and only requires curl plus two config keys (TRUCHEQ_API_URL, XMTP_ENV), which align with the described network/API interactions.
Instruction Scope
Instructions limit actions to GET/POST calls against {TRUCHEQ_API_URL} and uploading images; they do not instruct reading local secrets or unrelated files. However, they omit how sensitive operations are authorized (no mention of wallet signing, API keys, or how 'payment proof' is generated), which is an important ambiguity for any agent that will attempt payments or message sending.
Install Mechanism
This is an instruction-only skill with no install spec and only requires curl already present — lowest-risk install model.
Credentials
Only TRUCHEQ_API_URL and XMTP_ENV are listed as config requirements (no secret keys requested), which is proportionate. That said, sensitive actions (creating listings, XMTP messages, and x402 payment flows) normally require authentication or wallet signatures; the lack of declared credentials raises questions about where authorization happens (server-side vs. client-side).
Persistence & Privilege
Skill is not always-enabled and does not request elevated or persistent system privileges; autonomous invocation is allowed (platform default) but not combined with other high-risk flags.
Assessment
The skill appears to do what it says, but verify the TRUCHEQ_API_URL endpoint before use. Ask the maintainer how authentication and payment proof generation are handled (does the server mediate payments and XMTP, or does the agent need wallet signing?). Do not supply private keys or secrets to the skill; test flows on the Sepolia/dev network only and confirm whether the API requires any API key or auth header. Be aware payments go directly to sellers (no escrow) and uploaded images/metadata will be sent to the configured TRUCHEQ_API_URL, so only use a trusted endpoint.

Like a lobster shell, security has layers — review code before you run it.

latestvk979k2w0nk0h3veghsg9npqsn5842q3t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl
ConfigTRUCHEQ_API_URL, XMTP_ENV

Comments