ClawHub

Locus Contractors

v1.0.0

Enables AI agents to send USDC payments and order freelance services through an escrow-backed marketplace on Base. Handles wallet management, Fiverr-style gig ordering with tiered pricing, and order status polling. Use when the agent needs to make crypto payments, hire freelancers, or check order status on Locus.

0· 783·0 current·0 all-time
by@wjorgensen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's operations (USDC transfers, escrow-backed orders, order polling) align with its name and description. However, the SKILL.md explicitly requires an API key (LOCUS_API_KEY or ~/.config/locus/credentials.json) while the registry metadata lists no primary credential or required env vars — an important metadata omission that makes installation decisions harder and is inconsistent with the stated purpose.
Instruction Scope
Runtime instructions stay within the skill's stated domain: calling api.paywithlocus.com, polling orders, saving local state for order memory, and asking humans to generate and provide an API key. The instructions do ask the agent/user to download skill files and to write credentials and state to ~/.config/locus and ~/.locus/skills; these are within-scope for this kind of payment/marketplace skill but do increase the local state and require trusting the remote host.
!
Install Mechanism
This is an instruction-only skill (no declared install spec), but SKILL.md contains explicit curl commands that download files from https://paywithlocus.com and instruct overwriting local files. The domain is a custom site (not a well-known package host), and the skill also instructs you to re-fetch these files for updates. That creates a supply-chain risk: the content served at that domain could change later and the instructions encourage automatic re-fetching.
!
Credentials
The skill requires an API key (prefixed claw_) and recommends saving it to ~/.config/locus/credentials.json or using LOCUS_API_KEY, but the registry metadata lists no required env vars or primary credential. Requesting a single service API key is proportionate to the capability, but failing to declare it in metadata is an inconsistency that reduces transparency. The onboarding also instructs the human to create and retain a wallet private key (recovery) — that private key should not be given to the agent and the skill explicitly says so, which is appropriate but relies on user behavior.
Persistence & Privilege
The skill does not request platform-level persistence flags (always:false) and does not modify other skills. However, its instructions encourage creating local state files (~/.config/locus/* and ~/.locus/skills/*) and doing periodic heartbeats (re-fetching files and polling the API). If an agent follows these instructions autonomously, it gains ongoing ability to poll and (with the API key) initiate payments — so users should ensure guardrails (allowance/approval threshold) are set. The skill itself does not declare any elevated platform privileges.
What to consider before installing
What to consider before installing: - Metadata mismatch: SKILL.md requires a Locus API key (LOCUS_API_KEY or ~/.config/locus/credentials.json) but the registry metadata lists no required credential — ask the publisher to update metadata to declare the credential before installing. - Supply-chain/trust: the instructions tell you to curl files from https://paywithlocus.com and re-fetch them for updates. Only install or auto-update if you trust that domain and operator. Prefer reviewing the content served there before saving/auto-updating. - API key handling: the key grants the ability to move funds. Store it with care (use least-privilege if the service supports scoped keys), and do not share your wallet private key with the agent. Configure the dashboard guardrails (allowance, max txn size, approval threshold) to require human approval for significant amounts. - Local files: the skill will create/overwrite files under ~/.config/locus and ~/.locus/skills and will request writing memory files; be comfortable with that filesystem footprint. - Testing: test with a low-balance or sandbox key first. Confirm responses from https://api.paywithlocus.com look legitimate and that the dashboard controls work as described. If you cannot verify the publisher or do not want to trust a custom domain for automatic updates and credentials, treat this skill as untrusted and do not install or give it a live API key.

Like a lobster shell, security has layers — review code before you run it.

latestvk9752mbqwfpfsqky9g51s4ed9d80x8dy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments