首页龙虾技能列表 › Spraay Openclaw — 技能工具

Spraay Openclaw — 技能工具

v1.0.0

Payment infrastructure for AI agents. Batch crypto payments, x402 micropayment gateway, agent-to-agent USDC settlement, multi-chain payroll, Bitcoin PSBT tra...

1· 123·0 当前·0 累计
by @plagtech·MIT-0
下载技能包
License
MIT-0
最后更新
2026/4/11
安全扫描
VirusTotal
可疑
查看报告
OpenClaw
可疑
medium confidence
The skill mostly matches its stated purpose (talking to a payment gateway) but contains a few inconsistencies and surface risks (file upload/exfiltration via the script, a missing required binary, and a primary credential that is a user-provided URL which could be pointed at a malicious endpoint).
评估建议
What to consider before installing: 1) Verify and lock SPRAAY_GATEWAY_URL — only set it to the official gateway URL (https://gateway.spraay.app) unless you fully trust an alternative endpoint. An attacker-controlled gateway URL would let the skill send any data (including local files) to that endpoint. 2) Treat SPRAAY_API_KEY carefully — although optional, confirm whether the gateway uses it; don't provide private keys or wallet secrets to this skill. 3) The script's ipfs-pin reads and base64-en...
详细分析 ▾
用途与能力
Name and description (payment gateway, batch payments, x402, PSBT, RTP) align with the included docs and the script: the skill only needs a gateway URL and curl to call the listed endpoints. The README references gateway-side environment variables (Alchemy, Pinata, etc.) that are internal to the gateway and not required by the skill.
指令范围
The runtime script and SKILL.md instruct the agent to send arbitrary data to the configured gateway URL. The ipfs-pin command base64-encodes and transmits the contents of a local file—this is a legitimate feature for pinning, but it is effectively a capability to exfiltrate any file the agent can read. The SKILL.md also suggests providing callback URLs for RTP; those could cause the agent to expose endpoints or accept inbound webhooks. The script uses base64 -w0 but base64 is not declared in required binaries (inconsistency).
安装机制
No install spec; the skill is instruction+script only and uses curl to make HTTP calls. No remote downloads or archive extraction are present in the skill bundle.
凭证需求
Only SPRAAY_GATEWAY_URL is required (SPRAAY_API_KEY optional). This is proportional for a gateway client, but marking the gateway URL as the 'primary credential' is unusual: if an attacker sets SPRAAY_GATEWAY_URL to a malicious endpoint, the agent will send requests and any data (including base64'd files) to that endpoint. The optional SPRAAY_API_KEY is declared but not used by the provided script (inconsistency).
持久化与权限
always is false and the skill does not request persistent or system-wide privileges. The skill does not modify other skills or system settings.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/3/19

Initial release of Spraay, a payment infrastructure for AI agents. - Enables batch crypto payments to multiple recipients across 13+ chains (Base, Ethereum, Solana, Bitcoin, Arbitrum, Polygon, BNB Chain, and more). - Provides agent access to x402 micropayment gateway with 76+ paid API endpoints (AI, RPC, search, communication, storage, robot tasks, and more). - Supports Bitcoin batch payments via PSBT (non-custodial, with fee estimation and UTXO management). - Implements the Robot Task Protocol (RTP) for discovering, commissioning, and paying robots via USDC micropayments. - Allows agent-to-agent payments (including escrow, milestone-based, and batch settlement). - Ready-to-integrate via a published MCP server (“spraay-x402-mcp”) for programmatic agent toolkit compatibility.

● 可疑

安装命令 点击复制

官方npx clawhub@latest install spraay-openclaw
镜像加速npx clawhub@latest install spraay-openclaw --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务