Community code plugin. Review compatibility and verification before install.
Latest release: v0.2.0Download zip
Capabilities
Compatibility
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Code and SKILL.md align with the described purpose (client-side wallet, signing, DID registration, payment flows). However the registry metadata declares no required environment variables while the runtime and docs clearly require STABLEPAY_PLUGIN_MASTER_KEY (and optionally STABLEPAY_OWS_PASSPHRASE / STABLEPAY_OWS_REST_API_KEY). Also package-lock contains many large dependencies (AWS SDK entries and other SDKs) that are not obvious from the plugin description or minimal package.json dependency list — this is unexpected and worth verifying.
Instruction Scope
Runtime instructions ask the operator to set a secret env var (STABLEPAY_PLUGIN_MASTER_KEY) and optionally OWS passphrases / API keys. The README also advises editing /etc/wsl.conf (sudo tee -a ...) to change mount options — that modifies a system config file and requires elevated privileges. The tools/scripts read/write an encrypted local state file under the user's home directory and will call local HTTP endpoints (defaults to 127.0.0.1 on various ports). No code appears to exfiltrate secrets by default, but the agent will perform network requests to a configurable backend URL (resolveTarget accepts absolute URLs). The SKILL.md is more prescriptive than the registry metadata about env and config access (incoherent).
Install Mechanism
There is no install spec in the registry (instruction-only), but the package includes source and built JS (dist/) and a package-lock.json. The SKILL.md instructs running npm install / npm run build locally (which is normal for a plugin). The presence of a large package-lock with many AWS-related packages and other SDKs is unexpected given the small declared dependency list in package.json and should be reviewed before running npm install.
Credentials
The plugin requires a sensitive master key (STABLEPAY_PLUGIN_MASTER_KEY) to derive the AES-256-GCM key for the local encrypted keystore; this is appropriate for a client-side keystore but the registry metadata incorrectly lists no required env vars. Additional optional secrets (OWS passphrase, OWS REST API key) are referenced in code/config. The mismatch between declared and actual required env vars is an incoherence and increases risk if users aren't warned. Several environment-variable names suggest high sensitivity (MASTER_KEY, PASSPhRASE, REST API KEY) and should be declared and handled carefully.
Persistence & Privilege
The plugin persists an encrypted local state file (~/.stablepay-openclaw/stablepay-local-state.enc) and creates policy files in a subdirectory — this is coherent with its purpose. It does not request always:true and does not appear to modify other plugins or system-wide agent settings automatically. The SKILL.md does suggest an optional manual change to /etc/wsl.conf (system-level), which is noteworthy but not performed automatically by the plugin.
What to consider before installing
This plugin mostly does what it says (client-side wallet, signing, DID registration, payment demo), but there are a few red flags you should consider before installing:
- Required secrets are not declared in the registry metadata. The SKILL.md and code require STABLEPAY_PLUGIN_MASTER_KEY (master key used to encrypt local private keys). If you set this, treat it like a high-value secret; do not reuse other important keys/passwords.
- Optional sensitive env vars (OWS passphrase, OWS REST API key) are used if you enable those runtimes. Only provide those to trusted services.
- The README instructs running sudo tee -a /etc/wsl.conf to change WSL mount options. That modifies a system file with elevated privileges — do not run such commands unless you understand and accept the change.
- package-lock.json contains many large dependencies (AWS SDKs, other SDKs) that are unexpected relative to the small dependency list in package.json. Review package.json and the lockfile locally before running npm install; consider running in an isolated environment or container.
- The plugin makes network calls to a configurable backendBaseUrl; by default this is localhost, but the code will accept absolute URLs. Verify any backend endpoint you configure is trusted and does not point to external services you don't control.
Recommended actions before installing:
1) Ask the author/maintainer to update registry metadata to list required env vars (STABLEPAY_PLUGIN_MASTER_KEY and any optional OWS secrets) and explain their use.
2) Inspect package.json and package-lock.json locally and, if you must build, do so in an isolated VM/container. Consider auditing or pinning dependencies.
3) Backup and review the encrypted local state location (default ~/.stablepay-openclaw). Understand how to revoke/rotate keys if compromised.
4) Avoid applying the /etc/wsl.conf change unless you understand WSL mount permission implications.
5) If you will provide OWS REST API keys or passphrases, confirm the remote service is trustworthy and that network endpoints are correct.
If you want, I can extract the exact places the code reads environment variables and list all network endpoints the code can call to help you decide what to trust.dist/runtime.js:451
Shell command execution detected (child_process).
src/runtime.ts:610
Shell command execution detected (child_process).
dist/runtime.js:266
Environment variable access combined with network send.
showmethemoney-skill/demo-backend/server.mjs:4
Environment variable access combined with network send.
src/runtime.ts:399
Environment variable access combined with network send.
examples/plugins.entries.sample.json:7
Install source points to URL shortener or raw IP.
openclaw.plugin.json:13
Install source points to URL shortener or raw IP.
dist/runtime.js:391
File read combined with network send (possible exfiltration).
src/runtime.ts:541
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Verification
Tags
StablePay OpenClaw Plugin
OpenClaw plugin that handles the client-side wallet, signing, and payment-policy side of the StablePay flow.
Verified state
stablepay_runtime_status confirmed working as of 2026-03-31:
{
"requested_driver": "auto",
"active_driver": "local-dev",
"available_drivers": ["local-dev"],
"local_state_path": "/home/bubblevan/.stablepay-openclaw/stablepay-local-state.enc",
"has_wallet": false,
"wallet": null,
"payment_config": null,
"policy": null,
"notes": [
"OWS Node SDK could not be loaded in this environment. On the current Windows machine, the official package does not ship a win32 native binding yet.",
"The plugin will use a local AES-256-GCM encrypted state file as the current development fallback. This is suitable for local OpenClaw demos, but it is not the final OWS custody model."
]
}
DID 与私钥模型(重要)
| API | 用途 | 私钥位置 |
|---|---|---|
POST /api/v1/did(默认 didRegisterPath) | 契约主路径(PRD/tech);stablepay_register_local_did | 客户端 / OWS Vault;服务端只存公钥 |
POST /api/v1/did/register | 与上一行同一逻辑的兼容别名 | 同上 |
服务端不生成、不托管用户私钥。路由说明见 api-gateway/docs/did-flow.md。
Runtime model
| Driver | When active | Notes |
|---|---|---|
ows-sdk | @open-wallet-standard/core 可加载 | In-process 签名(Linux/macOS 等) |
ows-rest | 配置了 owsRestBaseUrl + STABLEPAY_OWS_REST_API_KEY(或自定义 env) | HTTP SignMessageRequest → hex signature |
ows-cli / wsl-ows | ows 在 PATH 且可选用 | 子进程 ows sign message --json |
local-dev | 兜底 | AES-256-GCM 加密状态文件 ~/.stablepay-openclaw/ |
auto 优先级:ows-sdk →(若配置了 REST 且存在 API key)ows-rest → ows-cli → local-dev。Windows 上常无 OWS 原生绑定,会落到 local-dev 或你在 WSL 里用 ows-cli。
WSL 端到端步骤见 docs/ows-wsl-e2e.md。
Installation
WSL (required — do not install from /mnt/d/)
OpenClaw blocks plugins installed from NTFS-mounted paths (/mnt/d/, /mnt/c/, etc.) because Windows NTFS shows mode=777 in WSL and OpenClaw treats world-writable paths as untrusted.
Copy the plugin to a Linux-native path, build it, then install:
cp -r /mnt/d/mylab/stablepay/stablepay-openclaw-plugin ~/stablepay-openclaw-plugin
cd ~/stablepay-openclaw-plugin
chmod -R 755 .
npm install
npm run build # compiles src/ → dist/
openclaw plugins install --link ~/stablepay-openclaw-plugin
openclaw gateway restart
After any source change, rebuild and reinstall:
cd ~/stablepay-openclaw-plugin
npm run build
openclaw plugins install --link ~/stablepay-openclaw-plugin
openclaw gateway restart
Permanent fix (optional)
To avoid the copy and let OpenClaw accept /mnt/d/ paths, configure WSL to mount with proper permissions:
sudo tee -a /etc/wsl.conf > /dev/null << 'EOF'
[automount]
options = "metadata,umask=022,fmask=111"
EOF
Then restart WSL from Windows PowerShell:
wsl --shutdown
After that you can install directly from the Windows path.
Required environment variable
Set STABLEPAY_PLUGIN_MASTER_KEY before using the local wallet runtime. The plugin uses this to derive the AES-256-GCM key for stablepay-local-state.enc.
# bash / WSL
export STABLEPAY_PLUGIN_MASTER_KEY="replace-with-a-long-random-secret"
# PowerShell
$env:STABLEPAY_PLUGIN_MASTER_KEY = "replace-with-a-long-random-secret"
If this variable is not set, stablepay_create_local_wallet will fail.
Optional (only needed if you run a supported OWS SDK runtime):
export STABLEPAY_OWS_PASSPHRASE="..."
Plugin config (~/.openclaw/openclaw.json)
All fields are optional. The plugin falls back to the defaults shown below if config is absent.
{
"plugins": {
"entries": {
"stablepay-mock-plugin": {
"enabled": true,
"config": {
"backendBaseUrl": "http://127.0.0.1:28080",
"verifyPageBaseUrl": "http://127.0.0.1:3000/verify",
"owsRuntime": "auto",
"walletNamePrefix": "stablepay",
"didRegisterPath": "/api/v1/did",
"owsRestBaseUrl": "",
"owsRestSignPath": "/v1/sign/message",
"owsRestWalletId": ""
}
}
}
}
}
backendBaseUrl defaults to http://127.0.0.1:8080 if omitted(Docker 联调请改为 Gateway 端口,如 28080)。
Tools
Local wallet runtime (new)
| Tool | What it does |
|---|---|
stablepay_runtime_status | Show active driver, wallet presence, state path, payment config, policy |
stablepay_create_local_wallet | Generate an Ed25519 keypair, encrypt and save to local state file |
stablepay_register_local_did | POST the local public key to backendBaseUrl/didRegisterPath to create a backend DID record |
stablepay_configure_payment_limits | Save single-purchase limit and auto-purchase threshold to local state |
stablepay_build_payment_policy | Assemble a payment policy manifest from local wallet + limits |
stablepay_sign_message | Sign a message with the local private key (key never leaves the state file) |
stablepay_execute_paid_skill_demo | Exercise the verify → 402 → pay → retry → 200 chain against showmethemoney-skill/demo-backend |
Test sequence
Smoke test (run first)
Call stablepay_runtime_status and return only the structured result.
Call stablepay_create_local_wallet. Create one local StablePay wallet and show the returned address or wallet summary.
Call stablepay_runtime_status and summarize only the wallet-related fields.
Expected after create_local_wallet: has_wallet: true, wallet not null.
A2 prep flow
Call stablepay_create_local_wallet. Create one local StablePay wallet.
Call stablepay_register_local_did for the current local wallet and return the backend response.
Call stablepay_configure_payment_limits. Set single purchase limit to 5 USDC and auto-purchase threshold to 1 USDC.
Call stablepay_build_payment_policy and return the generated policy manifest.
Call stablepay_sign_message. Sign the message: StablePay local signing smoke test.
B demo flow (paid skill)
Start the demo backend first:
cd showmethemoney-skill/demo-backend
npm install && npm start
Then in OpenClaw:
Call stablepay_execute_paid_skill_demo and show the full payment flow result.
Expected chain: verify → 402 Payment Required → sign + pay → retry → 200 OK.
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
world-writable path (mode=777) | Installing from /mnt/d/ | Copy to ~/ first |
must have required property 'backendBaseUrl' | Old openclaw.plugin.json with "required": ["backendBaseUrl"] | Pull latest; old schema is fixed |
stablepay_create_local_wallet fails | STABLEPAY_PLUGIN_MASTER_KEY not set | Set the env var and restart gateway |
stablepay_register_local_did fails | Wrong backendBaseUrl or didRegisterPath | Check plugin config and that api-gateway is running |
stablepay_sign_message fails | Local runtime issue, not a backend issue | Check state file exists and key env var is correct |
stablepay_execute_paid_skill_demo fails | demo-backend not running | Start showmethemoney-skill/demo-backend first |
Development
npm install
npm run check # TypeScript type check, no output
npm run build # compile src/ → dist/, required before install
OpenClaw loads dist/index.js (compiled output). After every source change you need to rebuild and reinstall the plugin before the changes take effect in the gateway.