@clawpayer/cli
v0.1.3
Published
Secure card vault with policy-gated payments for AI agents. Works as MCP server and OpenClaw plugin.
Readme
🦞 ClawPay
A payment gateway for AI agents. Self-hosted. Open source. No SaaS. No bullshit.
ClawPay is an encrypted card vault with a policy engine that lets AI agents make payments on your behalf — with rules you control.
Your agent browses a store, picks items, gets to checkout, and calls ClawPay. ClawPay checks your rules, asks for your approval if needed, and hands over the card details. The agent fills in the form. Done.
Works as a standalone MCP server (Claude, Cursor, any MCP client) and as an OpenClaw plugin (Moltbot and other OpenClaw agents).
Before you @ us about security
Yeah, we know. We're going to get replies like:
"You're storing credit card numbers locally?? That's insane!"
"This will never be PCI compliant!"
"Giving an LLM access to payment info is reckless!"
Cool. Let's talk about what's actually reckless.
You gave an AI agent full access to your computer. It can read your files, execute code, browse the web, and click buttons on your behalf. It has access to your email, your documents, your terminal, your browser sessions. You let it run shell commands. You let it navigate authenticated web pages. You gave it your whole digital life and said "yeah go ahead."
But a credit card number encrypted with AES-256 on your own machine? That's where we draw the line? That's the security concern?
"But what about UCP and AP2?" Yeah, we know about them. Google launched the Universal Commerce Protocol with Shopify, Visa, Mastercard, Stripe, and 20+ partners. It's an open standard for agentic commerce — merchants expose a /.well-known/ucp endpoint, agents talk to it, and AP2 handles the payment trust layer with cryptographic mandates so prices can't change mid-flow and everything is verifiable. It's genuinely good protocol design.
And it requires every single merchant to adopt it.
Target, Walmart, Shopify stores — sure, they'll get there. But the vintage camera shop in Tokyo? The niche supplement store in Portugal? The indie artisan on a self-hosted WooCommerce? The random e-commerce site your agent just found through a Google search? They're running a checkout form with card fields. That's it. No /.well-known/ucp. No AP2 mandates. No agentic commerce endpoint. Just HTML inputs waiting for 16 digits.
UCP/AP2 is the right long-term answer for structured agentic commerce. ClawPay is the answer for the other 99% of the internet that's still just a checkout form. When UCP achieves universal adoption, ClawPay becomes unnecessary. We genuinely look forward to that day. But we're not going to sit here and wait for it while agents can do everything except pay for things.
We chose to ship. Is it perfect? No. Is it more dangerous than the 47 other things your agent already has access to? Absolutely not. Your agent can already rm -rf your home directory, send emails as you, and post on your social media. But sure, let's pretend the credit card is the dangerous part.
The current state of agentic technology demands that we move fast and adapt existing tools to work with agents. Every day we wait for the "perfect secure solution" is a day agents remain crippled at the most critical step of any transaction. We'd rather give people a tool with guardrails than have them paste card numbers into chat windows — which, let's be honest, is what's already happening.
ClawPay is a pragmatic bridge. It's not the final answer. It's the answer for right now. Use UCP/AP2 when the merchant supports it. Use ClawPay when they don't. When better infrastructure exists everywhere, we'll happily deprecate ourselves. Until then, this is the best you've got — and it's a hell of a lot better than the alternatives.
How it works
┌─────────────┐ ┌──────────────┐ ┌───────────┐
│ AI Agent │────▶│ ClawPay │────▶│ Checkout │
│ (Moltbot, │ │ │ │ (Shopify, │
│ Claude, │ 1. request_card() │ │ Amazon, │
│ Cursor) │◀────│ 2. policy │ │ any site)│
│ │ │ 3. approve? │ │ │
│ │card │ 4. decrypt │ │ │
│ │info │ 5. return │ │ │
│ │────▶│ │────▶│ │
└─────────────┘ └──────────────┘ └───────────┘- Agent is at a checkout page and needs to pay
- Agent calls
request_card(amount, merchant, description) - ClawPay's policy engine evaluates the request:
- Under $25? Auto-approved. Card details returned instantly.
- Over $25? Human approval required. You get a prompt.
- Over $1000? Blocked. No card for you.
- Daily limit hit? Blocked.
- Blocked merchant? Blocked.
- If approved, ClawPay decrypts the card from the local vault
- Agent receives card details and fills in the checkout form
The agent never gets card info without passing through the policy gate.
Quick start
Install
npx clawpay initThis creates ~/.clawpay/ with an encryption key (stored in your system keychain) and a default config.
Add your card
npx clawpay add-cardCard details are encrypted with AES-256-GCM and stored locally. They never leave your machine.
Configure policies
Edit ~/.clawpay/config.yaml:
policies:
autoApproveUnder: 25.00
requireApprovalAbove: 25.00
blockAbove: 1000.00
dailyLimit: 200.00
monthlyLimit: 2000.00
blockedKeywords:
- gambling
- crypto
blockedMerchants:
- sketchy-site.com
currency: USD
approval:
method: terminal # terminal | webhook | slack
timeout: 300 # seconds before auto-denyUse with any MCP client
Add to your Claude Desktop / Cursor / etc MCP config:
{
"mcpServers": {
"clawpay": {
"command": "npx",
"args": ["clawpay", "serve"]
}
}
}Use with OpenClaw
ClawPay ships as a native OpenClaw plugin. It registers request_card and get_payment_policy as optional agent tools — meaning your agent (Moltbot, etc.) won't use them unless you explicitly enable them.
Option A — Install via npm (recommended)
openclaw plugins install clawpayOption B — Manual install (from source)
Clone this repo into your OpenClaw extensions/ directory:
cd /path/to/openclaw/extensions
git clone https://github.com/valdo99/clawpay.git
cd clawpay
npm install && npm run buildThe directory structure OpenClaw expects:
openclaw/
extensions/
clawpay/
openclaw.plugin.json ← plugin manifest (required)
dist/
integrations/
openclaw-plugin.js ← entry point
core/
... ← vault, policy, approval
package.jsonConfigure the plugin
In your OpenClaw config, add ClawPay settings:
plugins:
clawpay:
auto_approve_under: 25
require_approval_above: 25
block_above: 1000
daily_limit: 200
monthly_limit: 2000
currency: USD
blocked_keywords:
- gambling
approval_method: terminal # terminal | webhook
approval_timeout: 300Enable the tools for your agent
ClawPay tools are registered as optional: true for safety — an agent can't use them until you explicitly allow it. In your OpenClaw agent config:
agents:
list:
- id: main
tools:
allow:
- request_card
- get_payment_policy
# or allow all clawpay tools at once:
# - clawpayInitialize the vault
Before your agent can request card details, you need to set up the encrypted vault:
npx clawpay init # generates encryption key, stores in keychain
npx clawpay add-card # encrypts and stores your card locallyThat's it. Your OpenClaw agent can now call request_card at checkout. The policy engine evaluates every request, and the approval handler kicks in for anything above your auto-approve threshold.
MCP Tools
request_card
The main tool. Agent calls this before filling in a payment form.
| Parameter | Type | Required | Description | |-----------|------|----------|-------------| | amount | number | yes | Total payment amount | | merchant | string | yes | Merchant name or domain | | description | string | yes | What's being purchased | | currency | string | no | Currency code (default: USD) |
Returns (if approved):
{
"approved": true,
"cardholderName": "John Doe",
"number": "4242424242424242",
"expMonth": "12",
"expYear": "2027",
"cvv": "123",
"billingAddress": { ... }
}Returns (if denied):
{
"approved": false,
"reason": "Amount $500 requires human approval — user denied."
}get_payment_policy
Lets the agent check your rules before attempting a purchase. No card info is returned.
check_card_status
Check if a card is stored. No card info is returned.
Architecture
clawpay/
src/
core/
vault.ts # AES-256-GCM encrypted card storage
policy.ts # Rule evaluation engine
clawpay.ts # Main engine (vault + policy + approval)
integrations/
mcp-server.ts # Standalone MCP server (stdio)
openclaw-plugin.ts # OpenClaw extension
approval/
terminal.ts # CLI-based approval prompts
webhook.ts # Webhook/Slack approval
index.ts # Approval router
types/
index.ts # TypeScript types
bin/
cli.ts # CLI tool (init, add-card, status)
openclaw.plugin.json # OpenClaw plugin manifestVault: Your card is encrypted with AES-256-GCM. The encryption key is stored in your system keychain (macOS Keychain, Linux secret-service, Windows Credential Manager). Fallback to file-based key storage if keychain is unavailable. The encrypted vault lives at ~/.clawpay/vault.enc.
Policy engine: YAML-driven rules. Amount thresholds, daily/monthly limits, merchant allow/block lists, keyword filters. All evaluated locally.
Approval: Pluggable. Terminal prompts for local use, webhooks for anything else (Slack bots, Telegram bots, mobile apps, your own dashboard). Easy to add new approval channels.
Transaction log: Every request (approved or denied) is logged to ~/.clawpay/transactions.json for your records.
Extending ClawPay
Add a new approval channel
Create a function matching this signature:
async function myApproval(
payment: PaymentRequest,
policyResult: PolicyResult,
timeoutMs: number
): Promise<boolean>Add it to src/approval/ and wire it into the router in src/approval/index.ts.
Use as a library
import { ClawPay } from "clawpay";
const cp = await ClawPay.load();
const result = await cp.requestCard({
amount: 29.99,
merchant: "cool-store.com",
description: "A very cool hat",
});
if (result.approved) {
// result.card has the details
}Roadmap
- [ ] UCP/AP2 adapter — detect
/.well-known/ucpand use the proper protocol when available, fall back to raw card entry when not - [ ] Multi-card support (personal vs business)
- [ ] Per-merchant spending limits
- [ ] Receipt / order confirmation parsing
- [ ] Browser extension for approval notifications
- [ ] Transaction dashboard (local web UI)
- [ ] Plugin system for custom policy rules
- [ ] E2E tests
FAQ
Is this PCI compliant? No, and it's not trying to be. PCI-DSS applies to businesses that store/process/transmit cardholder data as a service. This is a self-hosted tool storing your own card on your own machine, like a password manager. If you're running this for yourself, PCI doesn't apply to you the same way it applies to Stripe.
What if my machine is compromised? Then the attacker has access to everything else on your machine too — your browser sessions, saved passwords, cookies, email, SSH keys. The encrypted card vault is frankly the least of your problems. But yes, the card data is encrypted at rest with AES-256-GCM and the key lives in your system keychain, which is also encrypted.
Can agents just ask for the card without a real purchase? They can ask. The policy engine decides. If an agent requests card details for "amount: $0.01, merchant: definitely-not-a-scam.com" it still has to pass your rules. And every request is logged.
Why not just use UCP / AP2? You should — when the merchant supports it. UCP is the right protocol for structured agentic commerce, and AP2's cryptographic mandates are a better trust model than what ClawPay offers. But UCP requires merchant adoption. Today that means a handful of big retailers. ClawPay works with any checkout form on any website, right now, with zero merchant integration. Use UCP when you can, ClawPay when you can't.
Why not just use Stripe / virtual cards / Apple Pay? Because none of those work at an arbitrary web checkout initiated by an agent today. Stripe requires merchant integration. Virtual cards require a platform. Apple Pay requires the specific browser and device flow. ClawPay works with any checkout, any merchant, right now.
Contributing
PRs welcome. Especially for:
- New approval channels (Discord, Telegram, email, mobile push)
- Better policy rules
- Security improvements
- Tests
- Documentation
License
MIT
Built because the world is going agentic whether the payment infrastructure is ready or not.