扫描报告
0 /100
openclaw-ghost-pay
Discover Ghost payment requirements, execute real x402 calls, report x402 settlements, and run GhostWire quote/prepare/status flows for direct escrow.
Legitimate Ghost Protocol payment integration for OpenClaw agents using standard x402 payment protocol; all capabilities are declared, dependencies are well-known, and no malicious or exfiltration behavior detected.
可以安装
No action needed. Skill is safe to use for its documented purpose of x402 payment handling and GhostRank settlement reporting.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 网络访问 | READ | READ | ✓ 一致 | bin/call-x402.mjs:59 - fetch() calls to merchant URLs; bin/get-payment-requireme… |
| 命令执行 | NONE | NONE | — | No subprocess/shell execution found. Scripts use only Node.js built-ins (fetch, … |
| 环境变量 | READ | READ | ✓ 一致 | Scripts read GHOST_SIGNER_PRIVATE_KEY and related env vars only for signing x402… |
| 文件系统 | NONE | NONE | — | No file read/write operations. Uses only {baseDir} path substitution for script … |
| 剪贴板 | NONE | NONE | — | No clipboard access observed. |
| 技能调用 | READ | READ | ✓ 一致 | SKILL.md declares skill is invoked for x402 workflows; openclaw.plugin.json regi… |
| 数据库 | NONE | NONE | — | No database access observed. |
| 浏览器 | NONE | NONE | — | No browser access observed. |
2 项发现
中危 外部 URL 外部 URL
https://ghostprotocol.cc INSTALL.md:47 中危 外部 URL 外部 URL
https://merchant.example.com/ask INSTALL.md:51 目录结构
13 文件 · 47.8 KB · 1461 行 JavaScript 7f · 954L
Markdown 4f · 479L
JSON 2f · 28L
├─
▾
bin
│ ├─
call-x402.mjs
JavaScript
│ ├─
create-wire-job-from-quote.mjs
JavaScript
│ ├─
get-payment-requirements.mjs
JavaScript
│ ├─
get-wire-job-status.mjs
JavaScript
│ ├─
get-wire-quote.mjs
JavaScript
│ ├─
report-x402-settlement.mjs
JavaScript
│ └─
shared.mjs
JavaScript
├─
INSTALL.md
Markdown
├─
openclaw.plugin.json
JSON
├─
package.json
JSON
├─
QUICKSTART.md
Markdown
├─
README.md
Markdown
└─
SKILL.md
Markdown
依赖分析 3 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
viem | ^2.21.0 | npm | 否 | Pinned to minor version range. Well-maintained Ethereum library. |
x402 | ^1.1.0 | npm | 否 | Pinned to minor version range. Official x402 protocol library. |
x402-fetch | ^1.1.0 | npm | 否 | Pinned to minor version range. Official x402-fetch wrapper. |
安全亮点
✓ All network calls go to documented endpoints: ghostprotocol.cc (MCP and settlement API) and user-specified merchant URLs for x402 payment flow
✓ Private key signing is performed locally via viem's privateKeyToAccount; private key never leaves the runtime
✓ Dependencies (viem, x402, x402-fetch) are pinned to minor versions and are well-known, reputable packages
✓ No subprocess, shell execution, or command injection vectors found
✓ No credential exfiltration — GHOST_SIGNER_PRIVATE_KEY is used only for signing and never logged or transmitted
✓ No access to sensitive filesystem paths (~/.ssh, ~/.aws, .env files)
✓ No base64 obfuscation, eval usage, or anti-analysis patterns
✓ SKILL.md fully documents all capabilities, environment variables, and script behaviors
✓ Dry-run mode available to validate requests before committing to payment
✓ Proper JSON-RPC error handling and timeout management throughout
✓ clear exit codes (0 for success, 1 for failure) for agent workflow integration