技能详情(站内镜像,无评论)
作者:ASG Compute @asgcompute
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v0.2.0
统计:⭐ 1 · 96 · 0 current installs · 0 all-time installs
⭐ 1
安装量(当前) 0
🛡 VirusTotal :良性 · OpenClaw :可疑
Package:asgcompute/agentcard
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :可疑
OpenClaw 评估
The skill's stated behaviour (agent-managed virtual MasterCards) is plausible, but there are notable inconsistencies and privilege concerns—most importantly around how the Stellar private key is supplied and stored, plus a detected prompt-injection signal in the SKILL.md.
目的
Functionality (create/fund/manage cards via x402 on Stellar) matches the code and files present; a payment skill legitimately needs a Stellar wallet secret. However the SKILL metadata declares ASG_CARD_WALLET_SECRET as required while the README/SKILL.md repeatedly says the MCP server/readme uses a local wallet file (~/.asgcard/wallet.json) and 'no env vars needed' for clients — that mismatch is unexplained and surprising.
说明范围
Runtime instructions ask you to run npx @asgcard/cli onboard which creates a local wallet and configures MCP tools (expected). But the SKILL.md also contains a frontmatter requiring an env var ASG_CARD_WALLET_SECRET. Additionally, a prompt-injection pattern (unicode-control-chars) was detected in SKILL.md — this could indicate attempts to manipulate prompt parsing during evaluation. The skill grants an agent autonomous authority to initiate on…
安装机制
There is no install spec (instruction-only in registry metadata), which is low-risk, but the package includes a large source tree and executable scripts (CLI, mcp-server, e2e and preflight scripts). Those scripts will perform network calls (API, Horizon) and can run locally via the repo — review them before running. The absence of an explicit install mechanism is not itself malicious but means the user/agent may run arbitrary included scripts …
证书
The skill declares a single primary credential ASG_CARD_WALLET_SECRET (a Stellar private key) — that is logically required for signing payments but is a highly sensitive secret. The SKILL.md and README claim the wallet 'never leaves your machine' and that 'no env vars needed' for MCP clients; yet the registry metadata forces ASG_CARD_WALLET_SECRET as required. The code and tests reference additional env vars (WEBHOOK_SECRET, STELLAR_TREASURY_A…
持久
The skill is not always: true and does not demand elevated platform privileges. Autonomous invocation is enabled by default (normal for skills) and means an agent could spend funds when invoked. This is expected for a payment skill but increases blast radius: if the agent is allowed to act autonomously and holds a funded wallet, it can make real on-chain payments and create real cards.
api/__tests__/webhook-and-verify.test.ts:8
Environment variable access combined with network send.
api/src/services/fourPaymentsClient.ts:307
Environment variable access combined with network send.
cli/src/index.ts:60
Environment variable access combined with network send.
cli/src/index.ts:27
File read combined with network send (possible exfiltration).
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「ASG Card」。简介:Virtual MasterCards for AI agents — crypto payments, USDC wallet, create and ma…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/asgcompute/agentcard/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
---
name: asgcard
description: Virtual MasterCards for AI agents — crypto payments, USDC wallet, create and manage virtual payment cards autonomously via x402 protocol on Stellar blockchain.
version: 1.0.8
emoji: 💳
homepage: https://asgcard.dev
metadata:
openclaw:
requires:
env:
- ASG_CARD_WALLET_SECRET
bins: []
primaryEnv: ASG_CARD_WALLET_SECRET
os: ["macos", "linux", "windows"]
---
# Agent Card — Payment Skill
Give your AI agent a virtual MasterCard. Agent Card lets agents autonomously create, fund, and manage virtual MasterCard cards by paying in USDC on the Stellar blockchain.
## What It Does
- **Create cards** — Issue virtual MasterCards with per-card spend limits
- **Fund cards** — Top up existing cards with USDC
- **Manage cards** — List, freeze, unfreeze, and inspect card details
- **On-chain payments** — Every transaction uses the x402 protocol on Stellar with verifiable on-chain proof
## Setup
```bash
npx @asgcard/cli onboard -y
```
This creates a Stellar wallet (`~/.asgcard/wallet.json`), configures the MCP server, and installs the payment skill. Your agent is ready to pay in under 30 seconds.
## MCP Tools (9 available)
| Tool | Description |
|------|-------------|
| `get_wallet_status` | Wallet address, USDC balance, readiness |
| `create_card` | Create virtual MasterCard (x402 payment) |
| `fund_card` | Top up existing card |
| `list_cards` | List all wallet cards |
| `get_card` | Card summary |
| `get_card_details` | PAN, CVV, expiry (nonce-protected) |
| `freeze_card` | Freeze a card |
| `unfreeze_card` | Re-enable a card |
| `get_pricing` | Current tier pricing |
## Use Cases
- Pay for API credits (Anthropic, OpenAI, Google Cloud)
- Provision cloud infrastructure (DigitalOcean, Vercel)
- Buy domains, SaaS subscriptions, and developer tools
- Any merchant that accepts MasterCard
## Links
- [Documentation](https://asgcard.dev/docs)
- [npm SDK](https://npmjs.com/package/@asgcard/sdk)
- [GitHub](https://github.com/ASGCompute/asgcard-public)