ClawHub

xClaw02

Make x402 payments. Pay for APIs, sell your services, handle 402 Payment Required responses with USDC on Base and other EVM chains.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 1.3k · 0 current installs · 0 all-time installs
by@primer-dev
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes a legitimate purpose (making/receiving x402 payments, wallet management, probing 402 responses) and the required runtime binaries (node/npx/python3/pip) fit that purpose. However, the registry metadata declares no required environment variables or primary credential while the runtime docs explicitly reference a sensitive environment variable (XCLAW02_PRIVATE_KEY) and XCLAW02_NETWORK — this mismatch is unexplained.
!
Instruction Scope
The instructions tell the agent/user to create wallets, store config under ~/.openclaw/skills/xclaw02/, and to use XCLAW02_PRIVATE_KEY for signing payments. That means private keys or signing artifacts may be written to disk and read from env vars. The SKILL.md also instructs installing packages (pip install / npx) and running CLI commands that will fetch and execute remote code. Storing/handling private keys and automatically invoking installers are sensitive behaviors and should be carefully audited.
Install Mechanism
There is no install spec in the skill bundle itself (instruction-only), which is lower static risk. But the documentation expects the user/agent to run `pip install xclaw02` or `npx xclaw02`, which will pull code from package registries (npm/pypi). Because the skill package source is listed as 'unknown' and the registry header earlier said 'Homepage: none' while _meta.json embeds a homepage/repository, the provenance is ambiguous. Installing packages from registries is expected for this kind of tool but should be done only after verifying the package and repo.
!
Credentials
Using a private key (XCLAW02_PRIVATE_KEY) is necessary to sign payments, so requesting a private key is proportionate to the payment purpose — but the skill metadata does not declare that env var as required, which is an inconsistency. The skill also instructs saving config and keys to a home directory path, which increases the persistence and blast radius if keys are compromised. No other external credentials are requested, but the omission of the private-key requirement from the declared requirements is notable.
Persistence & Privilege
always:false and model invocation defaults are fine. The skill will persist configuration and potentially private keys under ~/.openclaw/skills/xclaw02/, which is normal for a CLI wallet but is a persistence of sensitive material. The skill does not request system-wide privileges or claim to modify other skills.
What to consider before installing
This skill appears to be a real payment tool, but proceed carefully: do not paste or send your main private keys into chat or to an unverified package. Before installing or using it, verify the package source and repository (check the GitHub repo and publisher identity), inspect the package code (npm/PyPI) or request a signed release, and prefer using an ephemeral or funded-limited wallet for testing rather than your main funds. If you must provide a private key, consider using a signing service or hardware wallet rather than storing plain keys in env vars or ~/.openclaw. Confirm where the tool stores keys/config and lock file permissions. Finally, use the CLI's --dry-run and wallet balance checks first, and request the skill author/publisher details if provenance remains unclear.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk97fvy2jmrap7wv6w951a9nhz980e3t0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

$ Clawdis
Any binnode, npx, python3, pip

SKILL.md

xClaw02

Your entry point into x402 - the open payment standard for the agentic web.

x402 is an open protocol enabling instant stablecoin payments over HTTP using the 402 Payment Required status code. xClaw02, built by Primer, provides agent-friendly CLI tools and simple APIs for making and receiving payments.

When to Use This Skill

Use xClaw02 when:

  • You encounter a 402 Payment Required HTTP response
  • You need to access a paid API or resource
  • The user asks you to pay for something with crypto/USDC
  • You need to check wallet balance or manage payments
  • You want to charge for your own API or service

How to Respond

User Says/AsksWhat to Do
"I got a 402 error"This is an x402 payment request. Probe the URL with xclaw02 probe <url>, show the price, ask if they want to pay
"Pay for this API"Use xclaw02 pay <url> --max-amount <amount> - always confirm amount with user first
"Check my balance"Run xclaw02 wallet balance <address>
"Set up x402" / "Set up payments"Run xclaw02 openclaw init
"What networks do you support?"List supported networks (Base is primary; also Ethereum, Arbitrum, Optimism, Polygon)
"How much does X cost?"Probe the URL with xclaw02 probe <url> to get pricing
"Create a wallet"Run xclaw02 wallet create - remind user to save the private key securely
"I want to charge for my API"Show the Express.js or FastAPI middleware examples

Quick Setup

Node.js

npx xclaw02 openclaw init

Python

pip install xclaw02
xclaw02 openclaw init

This will:

  1. Create a new wallet (or use existing)
  2. Save config to ~/.openclaw/skills/xclaw02/
  3. Display your wallet address to fund with USDC on Base

How x402 Works

  1. Request - You call a paid API
  2. 402 Response - Server returns payment requirements in headers
  3. Pay & Retry - Sign payment, retry request with PAYMENT-SIGNATURE header
  4. Access - Server verifies payment, settles on-chain, returns resource

The payment is gasless for the payer - the facilitator handles gas fees.

CLI Commands

CommandDescription
xclaw02 openclaw initSet up xClaw02 for this agent
xclaw02 openclaw statusCheck setup status and balance
xclaw02 probe <url>Check if URL requires payment and get price
xclaw02 pay <url>Pay for a resource (requires XCLAW02_PRIVATE_KEY)
xclaw02 pay <url> --dry-runPreview payment without paying
xclaw02 pay <url> --max-amount 0.10Pay with spending limit
xclaw02 wallet createCreate a new wallet
xclaw02 wallet balance <address>Check USDC balance on Base
xclaw02 wallet from-mnemonicRestore wallet from mnemonic
xclaw02 networksList supported networks

Example CLI Output

$ xclaw02 probe https://api.example.com/paid
{
  "status": "payment_required",
  "price": "0.05",
  "currency": "USDC",
  "network": "base",
  "recipient": "0x1234...abcd",
  "description": "Premium API access"
}

$ xclaw02 wallet balance 0xYourAddress
{
  "address": "0xYourAddress",
  "network": "base",
  "balance": "12.50",
  "token": "USDC"
}

$ xclaw02 pay https://api.example.com/paid --max-amount 0.10
{
  "status": "success",
  "paid": "0.05",
  "txHash": "0xabc123...",
  "response": { ... }
}

Using in Code

Node.js / TypeScript

const { createSigner, x402Fetch } = require('xclaw02');

// Private key format: 0x followed by 64 hex characters
const signer = await createSigner('eip155:8453', process.env.XCLAW02_PRIVATE_KEY);
const response = await x402Fetch('https://api.example.com/paid', signer, {
  maxAmount: '0.10'  // Maximum USDC to spend
});
const data = await response.json();

Python

from xclaw02 import create_signer, x402_requests
import os

# Private key format: 0x followed by 64 hex characters
signer = create_signer('eip155:8453', os.environ['XCLAW02_PRIVATE_KEY'])
with x402_requests(signer, max_amount='0.10') as session:
    response = session.get('https://api.example.com/paid')
    data = response.json()

Selling Your Services (Server-Side)

Want other agents to pay you? Add a paywall to your API:

Express.js

const express = require('express');
const { x402Express } = require('xclaw02');

const app = express();

app.use(x402Express('0xYourAddress', {
  '/api/premium': {
    amount: '0.05',          // $0.05 USDC per request
    asset: '0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913',
    network: 'eip155:8453'
  }
}));

app.get('/api/premium', (req, res) => {
  res.json({ data: 'Premium content here' });
});

FastAPI (Python)

from fastapi import FastAPI
from xclaw02 import x402_fastapi

app = FastAPI()

app.add_middleware(x402_fastapi(
    '0xYourAddress',
    {
        '/api/premium': {
            'amount': '0.05',
            'asset': '0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913',
            'network': 'eip155:8453'
        }
    }
))

@app.get("/api/premium")
async def premium_endpoint():
    return {"data": "Premium content here"}

Supported Networks

NetworkCAIP-2 IDTokenNotes
Baseeip155:8453USDCPrimary - fast, cheap, recommended
Base Sepoliaeip155:84532USDCTestnet
Ethereumeip155:1USDCHigher fees
Arbitrumeip155:42161USDC
Optimismeip155:10USDC
Polygoneip155:137USDC

Base is the default network. To use others, set XCLAW02_NETWORK environment variable.

Facilitators

Facilitators handle payment verification and on-chain settlement. The x402 ecosystem has many independent facilitators:

NameURLNotes
Primerhttps://x402.primer.systemsDefault
Coinbasehttps://api.cdp.coinbase.com/platform/v2/x402
x402.orghttps://x402.org/facilitatorTestnet only
PayAIhttps://facilitator.payai.network
Corbitshttps://facilitator.corbits.dev
Dexterhttps://x402.dexter.cash
Heuristhttps://facilitator.heurist.xyz
Kobaruhttps://gateway.kobaru.io
Neverminedhttps://api.live.nevermined.app/api/v1/
Openfacilitatorhttps://pay.openfacilitator.io
Solpayhttps://x402.solpay.cash
xEchohttps://facilitator.xechoai.xyz

To use a different facilitator, set XCLAW02_FACILITATOR environment variable.

Environment Variables

VariableFormatDescription
XCLAW02_PRIVATE_KEY0x + 64 hex charsWallet private key (required for payments)
XCLAW02_NETWORKeip155:8453, base, etc.Default network (default: base)
XCLAW02_MAX_AMOUNT0.10Default max payment amount in USDC
XCLAW02_FACILITATORURLFacilitator URL override

Error Handling

Error CodeMeaningWhat to Do
INSUFFICIENT_FUNDSWallet balance too lowTell user to fund wallet with USDC on Base
AMOUNT_EXCEEDS_MAXPayment exceeds maxAmountAsk user to approve higher amount, then retry with --max-amount
SETTLEMENT_FAILEDOn-chain settlement failedWait a moment and retry, or try a different facilitator
INVALID_RESPONSEMalformed 402 responseThe URL may not support x402 properly
NETWORK_MISMATCHWrong networkCheck the 402 response for required network, set XCLAW02_NETWORK

Security Notes

  • Never expose private keys in logs, chat, or output
  • Use environment variables for wallet credentials
  • Always confirm payment amounts with user before paying
  • Fund wallets only with what's needed for the task
  • Private key format: 0x followed by 64 hexadecimal characters

Alternative Implementations

x402 is an open standard with multiple implementations:

Official Coinbase SDK - The reference implementation with Go support and Solana (SVM) in addition to EVM chains:

When to use alternatives:

  • You need Go support (xClaw02 is Node.js/Python only)
  • You need Solana payments (xClaw02 is EVM only)
  • You want the official reference implementation

All x402 implementations are interoperable - a client using any SDK can pay a server using any other SDK, as long as they share a supported network and facilitator.

Links

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…