ClawVault Agent Skill
You have access to ClawVault, a security middleware for AI agents. ClawVault protects TWO spending channels:
- 1. Crypto payments - USDC transfers on Base and Solana blockchains
- Agent Card - Virtual Visa card for any merchant worldwide (SaaS, APIs, cloud, etc.)
Both channels use the same rules engine. Every transaction is validated against user-defined rules. Transactions within rules auto-approve; transactions outside rules require human approval via Telegram or dashboard.
Security Model
- - Non-custodial: Your keys never leave your wallet
- Rule-enforced: Spending limits, whitelists, time windows enforced on-chain
- Human-in-the-loop: Anything outside rules requires explicit approval
- Audit trail: All transactions logged and visible in dashboard
API Base URL
�CODEBLOCK0
Authentication
All requests require your API key in the Authorization header:
�CODEBLOCK1
Get your API key at: https://clawvault.cc/agents
CRYPTO PAYMENTS (On-Chain)
1. Request a Crypto Payment
When you need to send USDC to a blockchain address:
CODEBLOCK2
Response (Success)
�CODEBLOCK3
Possible Statuses
- -
auto_approved - Payment executed immediately (within rules) - INLINECODE1� - Awaiting human approval via Telegram/dashboard
- INLINECODE2� - Payment was rejected
- INLINECODE3� - Approval window closed (5 minutes)
2. Check Before Sending (Dry Run)
Before making a payment, check if it will auto-approve or need manual approval:
CODEBLOCK4
Response
�CODEBLOCK5
If autoApprove: false, tell the user the payment needs their approval.
3. Get Vault Status
Check your vault balance and current limits:
CODEBLOCK6
Response
{
"success": true,
"data": {
"chain": "base",
"balances": [{ "token": "USDC", "balance": "150.00" }],
"rules": {
"mode": "manual",
"perTxLimit": 500,
"dailyTxMax": 20
}
}
}
AGENT CARD (Visa Card)
Use the Agent Card when you need to pay for:
- - SaaS subscriptions (Vercel, Netlify, etc.)
- API services (OpenAI, Anthropic, Twilio, etc.)
- Cloud compute (AWS, GCP, Azure)
- Any merchant that accepts Visa
4. Request a Card Purchase
CODEBLOCK8
Response (Approved)
�CODEBLOCK9
Response (Needs Approval)
�CODEBLOCK10
IMPORTANT: Card credentials are temporary and single-use. Use them immediately at the merchant checkout. Never log or store card credentials.
5. Check Card Balance
CODEBLOCK11
Response
{
"success": true,
"data": {
"balance": 450.00,
"currency": "USD",
"spent_today": 50.00,
"spent_this_month": 350.00,
"daily_limit": 500.00,
"monthly_limit": 5000.00
}
}
6. Check Card Rules
Before making a purchase, check if it's allowed:
CODEBLOCK13
Response
{
"success": true,
"data": {
"allowed": true,
"autoApprove": true,
"reason": "Within limits, allowed category"
}
}
COMMON ENDPOINTS
7. Check Payment/Purchase Status
CODEBLOCK15
8. List Recent Transactions
CODEBLOCK16�
DECIDING: CRYPTO vs CARD
Use this logic to decide which channel to use:
| Scenario | Use |
|---|
| Paying a blockchain address (0x...) | Crypto (/v1/payments) |
| Paying for SaaS subscription |
Card (
/v1/card/purchase) |
| Paying for API credits | Card (
/v1/card/purchase) |
| Paying for cloud services | Card (
/v1/card/purchase) |
| Paying for any online service | Card (
/v1/card/purchase) |
| Sending money to another person's crypto wallet | Crypto (
/v1/payments) |
| DeFi, staking, token swaps | Crypto (
/v1/payments) |
Rule of thumb: If it's a blockchain address, use crypto. If it's a company/service, use the card.
HUMAN APPROVAL FLOW
When a transaction requires approval:
- 1. User is notified via Telegram bot or ClawVault dashboard
- User reviews the transaction details (amount, recipient, reason)
- User approves or denies with one tap
- Transaction executes if approved, or is cancelled if denied
- Approval expires after 5 minutes if no action taken
Always inform the user when approval is required: "This transaction needs your approval. Check your Telegram or ClawVault dashboard."
COMMON SCENARIOS
Scenario: User asks to pay for OpenAI API credits
- 1. Call
/v1/card/check to verify it's allowed - If allowed, call
/v1/card/purchase with merchant="OpenAI API" - If
status: "approved", use the card credentials at checkout immediately - If
status: "pending_approval", tell user: "This purchase needs your approval. Check Telegram or ClawVault dashboard."
Scenario: User asks to send USDC to an address
- 1. Call
/v1/rules/check to see if it will auto-approve - Call
/v1/payments with the recipient address - If
status: "pending", tell user to approve in Telegram
Scenario: Card purchase denied
Tell the user: "The purchase was denied. Reason: {reason}. Check ClawVault dashboard for details."
Scenario: Insufficient card balance
Tell the user: "Insufficient card balance. Current balance: ${balance}. The card needs to be funded."
ERROR HANDLING
Common Errors
| Code | Meaning | Action |
|---|
| INLINECODE19 | Bad API key | Check your API key |
| INLINECODE20 |
Monthly limit reached | User needs to upgrade |
|
INSUFFICIENT_BALANCE | Not enough funds | User needs to deposit (crypto) or fund card |
|
RULE_VIOLATION | Outside allowed parameters | Check the
reason field |
|
CARD_FROZEN | Card is frozen | User needs to unfreeze in dashboard |
|
MERCHANT_BLOCKED | Merchant category not allowed | Cannot purchase from this merchant |
|
CARD_NOT_ACTIVE | Card not set up | User needs to apply for Agent Card |
Error Response Format
{
"success": false,
"error": {
"code": "RULE_VIOLATION",
"message": "Exceeds per-transaction limit of $100"
}
}
SECURITY BEST PRACTICES
- 1. Never log card credentials - Card numbers, CVCs are sensitive
- Always check first - Use
/v1/rules/check or /v1/card/check before transactions - Explain to users - If approval is needed, tell them where to approve
- Handle pending - Don't assume transactions complete immediately
- Use card credentials immediately - They expire in 5 minutes
- Show transaction links - For crypto, link to �INLINECODE29
SUPPORT
- - Dashboard: https://clawvault.cc
- Docs: https://clawvault.cc/docs
- API Status: https://api.clawvault.cc/health
- Source: https://github.com/andrewszk/clawvault-mcp-server
ClawVault Agent 技能
您可以使用 ClawVault,这是一个面向 AI 代理的安全中间件。ClawVault 保护两个支出渠道:
- 1. 加密货币支付 - 在 Base 和 Solana 区块链上的 USDC 转账
- 代理卡 - 适用于全球任何商户的虚拟 Visa 卡(SaaS、API、云服务等)
两个渠道使用相同的规则引擎。每笔交易都会根据用户定义的规则进行验证。符合规则的交易自动批准;不符合规则的交易需要通过 Telegram 或仪表盘进行人工批准。
安全模型
- - 非托管:您的密钥永远不会离开您的钱包
- 规则强制执行:链上强制执行支出限额、白名单、时间窗口
- 人工介入:任何超出规则范围的操作都需要明确批准
- 审计追踪:所有交易均记录并在仪表盘中可见
API 基础 URL
https://api.clawvault.cc
身份验证
所有请求都需要在 Authorization 标头中包含您的 API 密钥:
Authorization: Bearer ${CLAWVAULTAPIKEY}
在此处获取您的 API 密钥:https://clawvault.cc/agents
加密货币支付(链上)
1. 请求加密货币支付
当您需要向区块链地址发送 USDC 时:
http
POST /v1/payments
Content-Type: application/json
{
amount: 50.00,
token: USDC,
recipient: 0x1234567890abcdef1234567890abcdef12345678,
chain: base,
reason: 服务付款,
skill: transfer
}
响应(成功)
json
{
success: true,
data: {
id: pi_abc123,
status: pending,
expiresAt: 2026-02-27T12:00:00Z
}
}
可能的状态
- - auto_approved - 支付立即执行(符合规则)
- pending - 等待通过 Telegram/仪表盘进行人工批准
- denied - 支付被拒绝
- expired - 批准窗口已关闭(5 分钟)
2. 发送前检查(试运行)
在进行支付之前,检查它是自动批准还是需要手动批准:
http
POST /v1/rules/check
Content-Type: application/json
{
amount: 50.00,
token: USDC,
recipient: 0x1234...,
chain: base
}
响应
json
{
success: true,
data: {
allowed: true,
autoApprove: false,
reason: 手动模式,
remainingBudget: { daily: 450.00 },
remainingTx: { daily: 46 }
}
}
如果 autoApprove: false,请告知用户该支付需要他们的批准。
3. 获取金库状态
检查您的金库余额和当前限额:
http
GET /v1/vault
响应
json
{
success: true,
data: {
chain: base,
balances: [{ token: USDC, balance: 150.00 }],
rules: {
mode: manual,
perTxLimit: 500,
dailyTxMax: 20
}
}
}
代理卡(Visa 卡)
当您需要为以下项目付款时,使用代理卡:
- - SaaS 订阅(Vercel、Netlify 等)
- API 服务(OpenAI、Anthropic、Twilio 等)
- 云计算(AWS、GCP、Azure)
- 任何接受 Visa 的商户
4. 请求卡购买
http
POST /v1/card/purchase
Content-Type: application/json
{
amount: 20.00,
currency: USD,
merchant: OpenAI API,
merchantcategory: apiservices,
reason: 用于研究任务的 GPT-4 API 积分
}
响应(已批准)
json
{
success: true,
data: {
id: card
txnabc123,
status: approved,
card_credentials: {
number: 4242837419283847,
exp_month: 3,
exp_year: 2028,
cvc: 847
},
valid
forseconds: 300
}
}
响应(需要批准)
json
{
success: true,
data: {
id: card
txnabc123,
status: pending_approval,
reason: 金额超过自动批准阈值
}
}
重要提示:卡凭证是临时的且一次性使用。请立即在商户结账时使用。切勿记录或存储卡凭证。
5. 检查卡余额
http
GET /v1/card/balance
响应
json
{
success: true,
data: {
balance: 450.00,
currency: USD,
spent_today: 50.00,
spent
thismonth: 350.00,
daily_limit: 500.00,
monthly_limit: 5000.00
}
}
6. 检查卡规则
在进行购买之前,检查是否允许:
http
POST /v1/card/check
Content-Type: application/json
{
amount: 20.00,
merchantcategory: apiservices
}
响应
json
{
success: true,
data: {
allowed: true,
autoApprove: true,
reason: 在限额内,允许的类别
}
}
通用端点
7. 检查支付/购买状态
http
GET /v1/payments/{payment_id}
GET /v1/card/transactions/{transaction_id}
8. 列出最近交易
http
GET /v1/transactions?limit=10
GET /v1/card/transactions?limit=10
决策:加密货币 vs 卡
使用此逻辑来决定使用哪个渠道:
| 场景 | 使用 |
|---|
| 向区块链地址(0x...)付款 | 加密货币(/v1/payments) |
| 支付 SaaS 订阅 |
卡(/v1/card/purchase) |
| 支付 API 积分 | 卡(/v1/card/purchase) |
| 支付云服务 | 卡(/v1/card/purchase) |
| 支付任何在线服务 | 卡(/v1/card/purchase) |
| 向他人的加密货币钱包汇款 | 加密货币(/v1/payments) |
| DeFi、质押、代币兑换 | 加密货币(/v1/payments) |
经验法则:如果是区块链地址,使用加密货币。如果是公司/服务,使用卡。
人工批准流程
当交易需要批准时:
- 1. 用户收到通知 通过 Telegram 机器人或 ClawVault 仪表盘
- 用户查看 交易详情(金额、收款人、原因)
- 用户一键批准或拒绝
- 交易执行 如果批准,或取消如果拒绝
- 批准在 5 分钟后过期 如果未采取任何操作
始终在需要批准时通知用户:此交易需要您的批准。请检查您的 Telegram 或 ClawVault 仪表盘。
常见场景
场景:用户要求支付 OpenAI API 积分
- 1. 调用 /v1/card/check 验证是否允许
- 如果允许,调用 /v1/card/purchase,商户为 OpenAI API
- 如果 status: approved,立即在结账时使用卡凭证
- 如果 status: pending_approval,告知用户:此购买需要您的批准。请检查 Telegram 或 ClawVault 仪表盘。
场景:用户要求向地址发送 USDC
- 1. 调用 /v1/rules/check 查看是否会自动批准
- 使用收款人地址调用 /v1/payments
- 如果 status: pending,告知用户在 Telegram 中批准
场景:卡购买被拒绝
告知用户:购买被拒绝。原因:{reason}。请查看 ClawVault 仪表盘了解详情。
场景:卡余额不足
告知用户:卡余额不足。当前余额:${balance}。需要为卡充值。
错误处理
常见错误
|
