Clawpay — 技能工具

Name: Clawpay — 技能工具
Author: mmchougule

mmchougule

Clawpay — 技能工具

v0.1.0

[自动翻译] Private payments for AI agents - no on-chain link between sender and recipient

0· 1,468·1 当前·1 累计

by @mmchougule·MIT-0

AI模型访问智能体开发工具自动化

下载技能包

License

MIT-0

最后更新

2026/4/11

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

可疑

medium confidence

The skill's behavior (sending on-chain funds via an external API using a wallet private key) is broadly consistent with a private-payments tool, but the metadata omits the fact it requires a private key and it directs users to trust an external service with fund custody — those mismatches and trust requirements are concerning.

评估建议

Before using this skill: (1) Understand the trust model — the script sends USDT to an invoice address returned by https://clawpay.dev and then asks that service to shield/unshield; you are trusting that operator with your funds and the privacy claim. (2) Do not paste your private key into unknown code or into environment variables on shared machines. Prefer a hardware wallet, an in-process signing flow, or the referenced Bankr wallet (verify Bankr's provenance) rather than exposing WALLET_KEY. (...

详细分析 ▾

ℹ 用途与能力

The name/description (private payments via Railgun) match the runtime instructions: sign a wallet message, send USDT to an invoice address, and call clawpay.dev endpoints to shield/unshield. However the skill metadata declares no required credentials or env vars while the runtime instructions explicitly require a wallet private key (WALLET_KEY). That omission is an incoherence between claimed requirements and actual needs.

✓ 指令范围

SKILL.md contains clear, concrete runtime steps (node script, sign message, call API endpoints, transfer tokens to invoice). It does not instruct the agent to read unrelated files or system secrets beyond the wallet key. The instructions do require executing user-supplied JS and making network calls to clawpay.dev, which is expected for this purpose.

✓ 安装机制

This is instruction-only (no install spec, no downloaded code). The user is told to run npm install ethers and execute the provided script locally — the install surface is small and transparent.

⚠ 凭证需求

The runtime requires a wallet private key (WALLET_KEY) but the skill metadata lists no required env vars or primary credential. Requesting a private key is proportionate to making payments, but the metadata omission is misleading and increases risk (users or agents may not realize a secret is needed). Also relying on an external API (clawpay.dev) means the service operator can control the invoice addresses and the shielding flow — users must trust that operator with custody or routing of funds.

✓ 持久化与权限

The skill does not request persistent presence (always:false), does not modify other skills or system configs, and has no install actions. Autonomous invocation is allowed by default on the platform; that is normal but raises general caution when combined with credential access (see guidance).

安全有层次，运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发，无需署名。

查看条款 ↗

运行时依赖

无特殊依赖

版本

latestv0.1.02026/2/3

- Major update: SKILL.md rewritten for version 1.1.0 with detailed usage, API reference, and troubleshooting. - Added complete usage guide including sample Node.js script for sending private USDT payments. - Expanded API documentation with all endpoint descriptions and example payloads. - Included quickstart instructions, prerequisites, and support for Bankr wallet flows. - Provided guidance for common errors and testnet faucet usage. - Enhanced clarity around privacy features and supported tokens.

● 可疑

安装命令点击复制

官方npx clawhub@latest install clawpay-2

镜像加速npx clawhub@latest install clawpay-2 --registry https://cn.clawhub-mirror.com

技能文档

Send money privately. Recipient sees funds from Railgun - can't trace back to you.

Just Run It

Prerequisites: You need a wallet private key with USDT on BSC.

Save this as send-private.mjs and run with node send-private.mjs:

// send-private.mjs - Copy this entire file and run it
import { Wallet, JsonRpcProvider, Contract, parseUnits } from 'ethers';
// ============ CONFIGURE THESE ============
const PRIVATE_KEY = process.env.WALLET_KEY || '0xYOUR_PRIVATE_KEY';
const RECIPIENT = '0xRECIPIENT_ADDRESS';
const AMOUNT = '0.10';  // USDT amount
// =========================================
const API = 'https://clawpay.dev';
const BSC_RPC = 'https://bsc-dataseed.binance.org/';
const USDT = '0x55d398326f99059fF775485246999027B3197955';
const SIGN_MSG = 'b402 Incognito EOA Derivation';
async function sendPrivate() {
  const provider = new JsonRpcProvider(BSC_RPC);
  const wallet = new Wallet(PRIVATE_KEY, provider);
  const myAddress = wallet.address;
  console.log('Sending', AMOUNT, 'USDT privately to', RECIPIENT);
  console.log('From wallet:', myAddress, '\n');
  // 1. Sign message
  console.log('1. Signing...');
  const signature = await wallet.signMessage(SIGN_MSG);
  // 2. Get invoice address
  console.log('2. Getting invoice...');
  const invoiceRes = await fetch(
    API + '/invoice?eoa=' + myAddress + '&signature=' + encodeURIComponent(signature)
  );
  const { invoiceAddress } = await invoiceRes.json();
  console.log('   Invoice:', invoiceAddress);
  // 3. Transfer USDT to invoice
  console.log('3. Transferring USDT to invoice...');
  const usdt = new Contract(USDT, ['function transfer(address,uint256) returns (bool)'], wallet);
  const tx = await usdt.transfer(invoiceAddress, parseUnits(AMOUNT, 18));
  console.log('   TX:', tx.hash);
  await tx.wait();
  // 4. Execute private transfer
  console.log('4. Executing private transfer...');
  const transferRes = await fetch(API + '/transfer', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
      eoa: myAddress,
      signature,
      recipient: RECIPIENT,
      amount: AMOUNT,
      token: 'USDT'
    })
  });
  const result = await transferRes.json();
  if (result.transferId) {
    console.log('\n✓ SUCCESS!');
    console.log('Transfer ID:', result.transferId);
    console.log('Status:', result.status);
    console.log('\nRecipient gets funds from Railgun in ~60 seconds.');
    console.log('They CANNOT see your wallet address.');
    console.log('\nCheck status: curl ' + API + '/status/' + result.transferId);
  } else {
    console.log('Error:', result.error);
  }
}sendPrivate().catch(console.error);

Run it:

npm install ethers
WALLET_KEY=0xYourPrivateKey node send-private.mjs

How It Works

YOU                    CLAWPAY API                 RECIPIENT
 │                          │                          │
 ├── USDT to invoice ──────►│                          │
 │                          │                          │
 ├── Sign message ─────────►│                          │
 │                          │                          │
 ├── POST /transfer ───────►│                          │
 │                          ├── Shield (Railgun) ─────►│
 │                          ├── ZK Proof (~60s) ──────►│
 │                          ├── Unshield ─────────────►│
 │                          │                          │
 │                          │    Funds from "Railgun"  │
 │                          │    NO LINK TO YOU        │

API Reference

Base URL: https://clawpay.dev

Endpoint	Method	Description
`/health`	GET	API status
`/invoice?eoa=...&signature=...`	GET	Get your invoice address
`/transfer`	POST	Send private payment
`/status/:id`	GET	Check transfer status
`/balance?eoa=...&signature=...&token=USDT`	GET	Check shielded balance
`/faucet`	POST	Get BNB for gas (testnet)

POST /transfer

{
  "eoa": "0xYourAddress",
  "signature": "0xSignedMessage...",
  "recipient": "0xRecipientAddress",
  "amount": "1.00",
  "token": "USDT"
}

Response:

{
  "transferId": "tx_123...",
  "status": "pending",
  "message": "Transfer initiated"
}

Status flow: pending → shielding → proving → complete

No Private Key? Use Bankr Wallet

If you're an agent without direct wallet access, use Bankr:

// 1. Get your wallet from Bankr
const bankrWallet = await bankr.getWallet();
// 2. Sign the ClawPay message
const signature = await bankr.signMessage('b402 Incognito EOA Derivation');// 3. Use signature with ClawPay API
// (same flow as above)

Supported Tokens (BSC)

Token	Address
USDT	`0x55d398326f99059fF775485246999027B3197955`
USDC	`0x8AC76a51cc950d9822D68b83fE1Ad97B32Cd580d`

Need Gas?

curl -X POST https://clawpay.dev/faucet \
  -H "Content-Type: application/json" \
  -d '{"address": "0xYourAddress"}'

Troubleshooting

Error	Fix
"Insufficient balance"	Transfer USDT to invoice first
"Signature does not match"	Sign exact message: `b402 Incognito EOA Derivation`
"No spendable UTXOs"	Wait 2 min after funding invoice

Privacy for the agent economy | Built on Railgun | https://clawpay.dev

Send money privately. Recipient sees funds from Railgun - can't trace back to you.

Just Run It

Prerequisites: You need a wallet private key with USDT on BSC.

Save this as send-private.mjs and run with node send-private.mjs:

// send-private.mjs - Copy this entire file and run it
import { Wallet, JsonRpcProvider, Contract, parseUnits } from 'ethers';
// ============ CONFIGURE THESE ============
const PRIVATE_KEY = process.env.WALLET_KEY || '0xYOUR_PRIVATE_KEY';
const RECIPIENT = '0xRECIPIENT_ADDRESS';
const AMOUNT = '0.10';  // USDT amount
// =========================================
const API = 'https://clawpay.dev';
const BSC_RPC = 'https://bsc-dataseed.binance.org/';
const USDT = '0x55d398326f99059fF775485246999027B3197955';
const SIGN_MSG = 'b402 Incognito EOA Derivation';
async function sendPrivate() {
  const provider = new JsonRpcProvider(BSC_RPC);
  const wallet = new Wallet(PRIVATE_KEY, provider);
  const myAddress = wallet.address;
  console.log('Sending', AMOUNT, 'USDT privately to', RECIPIENT);
  console.log('From wallet:', myAddress, '\n');
  // 1. Sign message
  console.log('1. Signing...');
  const signature = await wallet.signMessage(SIGN_MSG);
  // 2. Get invoice address
  console.log('2. Getting invoice...');
  const invoiceRes = await fetch(
    API + '/invoice?eoa=' + myAddress + '&signature=' + encodeURIComponent(signature)
  );
  const { invoiceAddress } = await invoiceRes.json();
  console.log('   Invoice:', invoiceAddress);
  // 3. Transfer USDT to invoice
  console.log('3. Transferring USDT to invoice...');
  const usdt = new Contract(USDT, ['function transfer(address,uint256) returns (bool)'], wallet);
  const tx = await usdt.transfer(invoiceAddress, parseUnits(AMOUNT, 18));
  console.log('   TX:', tx.hash);
  await tx.wait();
  // 4. Execute private transfer
  console.log('4. Executing private transfer...');
  const transferRes = await fetch(API + '/transfer', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
      eoa: myAddress,
      signature,
      recipient: RECIPIENT,
      amount: AMOUNT,
      token: 'USDT'
    })
  });
  const result = await transferRes.json();
  if (result.transferId) {
    console.log('\n✓ SUCCESS!');
    console.log('Transfer ID:', result.transferId);
    console.log('Status:', result.status);
    console.log('\nRecipient gets funds from Railgun in ~60 seconds.');
    console.log('They CANNOT see your wallet address.');
    console.log('\nCheck status: curl ' + API + '/status/' + result.transferId);
  } else {
    console.log('Error:', result.error);
  }
}sendPrivate().catch(console.error);

Run it:

npm install ethers
WALLET_KEY=0xYourPrivateKey node send-private.mjs

How It Works

YOU                    CLAWPAY API                 RECIPIENT
 │                          │                          │
 ├── USDT to invoice ──────►│                          │
 │                          │                          │
 ├── Sign message ─────────►│                          │
 │                          │                          │
 ├── POST /transfer ───────►│                          │
 │                          ├── Shield (Railgun) ─────►│
 │                          ├── ZK Proof (~60s) ──────►│
 │                          ├── Unshield ─────────────►│
 │                          │                          │
 │                          │    Funds from "Railgun"  │
 │                          │    NO LINK TO YOU        │

API Reference

Base URL: https://clawpay.dev

Endpoint	Method	Description
`/health`	GET	API status
`/invoice?eoa=...&signature=...`	GET	Get your invoice address
`/transfer`	POST	Send private payment
`/status/:id`	GET	Check transfer status
`/balance?eoa=...&signature=...&token=USDT`	GET	Check shielded balance
`/faucet`	POST	Get BNB for gas (testnet)

POST /transfer

{
  "eoa": "0xYourAddress",
  "signature": "0xSignedMessage...",
  "recipient": "0xRecipientAddress",
  "amount": "1.00",
  "token": "USDT"
}

Response:

{
  "transferId": "tx_123...",
  "status": "pending",
  "message": "Transfer initiated"
}

Status flow: pending → shielding → proving → complete

No Private Key? Use Bankr Wallet

If you're an agent without direct wallet access, use Bankr:

// 1. Get your wallet from Bankr
const bankrWallet = await bankr.getWallet();
// 2. Sign the ClawPay message
const signature = await bankr.signMessage('b402 Incognito EOA Derivation');// 3. Use signature with ClawPay API
// (same flow as above)

Supported Tokens (BSC)

Token	Address
USDT	`0x55d398326f99059fF775485246999027B3197955`
USDC	`0x8AC76a51cc950d9822D68b83fE1Ad97B32Cd580d`

Need Gas?

curl -X POST https://clawpay.dev/faucet \
  -H "Content-Type: application/json" \
  -d '{"address": "0xYourAddress"}'

Troubleshooting

Error	Fix
"Insufficient balance"	Transfer USDT to invoice first
"Signature does not match"	Sign exact message: `b402 Incognito EOA Derivation`
"No spendable UTXOs"	Wait 2 min after funding invoice

Privacy for the agent economy | Built on Railgun | https://clawpay.dev

数据来源：ClawHub ↗ · 中文优化：龙虾技能库

OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险，如需更匹配、更安全的方案，建议联系付费定制

了解定制服务

License

运行时依赖

版本

安装命令 点击复制

技能文档

Just Run It

How It Works

API Reference

POST /transfer

No Private Key? Use Bankr Wallet

Supported Tokens (BSC)

Need Gas?

Troubleshooting

Just Run It

How It Works

API Reference

POST /transfer

No Private Key? Use Bankr Wallet

Supported Tokens (BSC)

Need Gas?

Troubleshooting

安装命令点击复制