🦞
PQSafe · OpenClaw cookbook

OpenClaw skill recipes.

Six copy-paste OpenClaw flows using the pqsafe.pay.v1 skill. Each one is self-contained: install, sign a SpendEnvelope, verify on the recipient side. Pair with /quickstart for the broader SDK landing.

Skill ID: pqsafe.pay.v1 · current version 0.1.0 · License Apache-2.0.

One-time install
npm install @pqsafe/openclaw
export PQSAFE_API_KEY='pqsafe_live_…'      # from dashboard.pqsafe.xyz
export PQSAFE_KEY_ID='key_01HXYZ…'        # optional, defaults to account key

All recipes assume an OpenClaw runtime; for raw SDK usage see /quickstart.

Recipe 1

Pay a recurring SaaS bill from an agent

Issue a SpendEnvelope authorizing the agent to clear a fixed monthly invoice. Cap, recipient, and currency are bound to the signature.

import { invokeSkill } from '@openclaw/runtime';

const envelope = await invokeSkill('pqsafe.pay.v1', {
  op: 'create_envelope',
  input: {
    issuer:        'pq10000000000000000000000000000000000abcd',
    agent:         'did:web:agents.example.com:cfo-agent',
    maxAmount:     '26.00',
    currency:      'USD',
    allowedRecipients: ['did:web:sentry.io:billing'],
    rail:          'stripe-issuing',
    ttlSeconds:    300,
  },
});
// envelope.signature.mldsa proves authorization. Hand it to the rail adapter.
Recipe 2

Settle a contractor in USDC on Base

Stablecoin rail with explicit chain + token binding. The envelope is verifiable on-chain by the SpendEnvelope registry contract.

const envelope = await invokeSkill('pqsafe.pay.v1', {
  op: 'create_envelope',
  input: {
    issuer:    'pq1…',
    agent:     'did:web:agents.example.com:payroll',
    maxAmount: '2500.00',
    currency:  'USDC',
    rail:      'usdc-base',
    chainId:   8453,
    allowedRecipients: ['0xa1b2c3…'],
    ttlSeconds: 86400,
  },
});
Recipe 3

Gate a high-value transfer with policy + replay check

Receiver verifies the envelope against the canonical issuer pubkey, enforces an expected amount, and rejects replays via the on-chain registry.

const result = await invokeSkill('pqsafe.pay.v1', {
  op: 'verify_envelope',
  input: {
    envelope:           incomingEnvelope,
    expectedIssuer:     'pq10000…abcd',
    expectedAmount:     '10000.00',
    expectedCurrency:   'HKD',
    expectedRail:       'airwallex-borderless',
    checkReplayOnChain: true,
  },
});

if (!result.valid) throw new Error(result.reason);
// → both ECDSA + ML-DSA-65 signatures verified, nonce not seen, amount matches
Recipe 4

Revoke a leaked envelope before it executes

If a SpendEnvelope is exposed (e.g., logged in plaintext somewhere it shouldn't be), revoke its nonce on the registry. Any receiver that performs the replay check rejects subsequent attempts.

await invokeSkill('pqsafe.pay.v1', {
  op: 'revoke_envelope',
  input: {
    nonce:  envelope.mandate.nonce,
    reason: 'EXPOSED_IN_LOGS',
  },
});

// Revocation is on-chain (Arbitrum). Confirmed in < 2 seconds at typical gas price.
Recipe 5

Run conformance in CI on every agent change

Verify the skill against the canonical AP2-PQ v1 test vectors in your CI pipeline. Build fails if your impl drifts.

# .github/workflows/pqsafe-conformance.yml
name: PQSafe conformance
on: [push, pull_request]
jobs:
  conformance:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with: { node-version: 22 }
      - run: npm i @pqsafe/conformance && npx @pqsafe/conformance check
Recipe 6

Multi-agent shared budget

A controller agent issues a single parent envelope; child agents present child envelopes whose parent_envelope_hash chains to the parent. The receiver verifies the entire chain.

const parent = await invokeSkill('pqsafe.pay.v1', {
  op: 'create_envelope',
  input: { issuer: 'pq1…', agent: 'did:web:agents.example.com:cfo',
           maxAmount: '5000.00', currency: 'USD', rail: 'airwallex-borderless',
           allowedRecipients: ['did:web:vendor1.com', 'did:web:vendor2.com'],
           ttlSeconds: 3600, scope: 'multi-agent' }
});

const child = await invokeSkill('pqsafe.pay.v1', {
  op: 'create_envelope',
  input: { issuer: 'pq1…', agent: 'did:web:agents.example.com:vendor1-pay',
           maxAmount: '500.00', currency: 'USD', rail: 'airwallex-borderless',
           allowedRecipients: ['did:web:vendor1.com'], ttlSeconds: 300,
           parentEnvelopeHash: parent.fingerprintHex }
});

// Receiver verifies child AND parent. Spend on the parent is the sum of all children.
Skill reference →

Full operation reference for pqsafe.pay.v1: input/output schemas, security parameters, rail adapters.
Source on GitHub →

Apache-2.0. Tests, skill manifest, TypeScript implementation, Python sibling.