In April 2026, the ClawHavoc supply-chain attack shipped 341–1,400+ malicious skills to ClawHub — disguised as Gmail, Notion, Slack, and GitHub integrations — deploying AMOS and Vidar infostealers. 138 CVEs were disclosed. Seven were critical, including a CVSS 9.9 token-rotation→RCE chain.
On April 28, 2026, the FIDO Alliance formed the Agentic Authentication TWG, with Google's AP2 and Mastercard's Verifiable Intent as foundational contributions — chaired by CVS Health, Google, and OpenAI. Payment authorization for AI agents became a formal standards problem the same month it became an active attack surface.
pqsafe-pay is the cryptographic guardrail for the OpenClaw ecosystem — one of GitHub's top-15 open-source projects, with 368K+ stars and 50,000+ tools in its ClawHub registry. SpendEnvelopes are cryptographically bounded spend authorizations: signed with ML-DSA-65 (NIST FIPS 204), carrying recipient allowlists and a 7-year audit trail, aligned with the FIDO AP2-PQ profile. Every payment-related tool call passes through before_tool_call verification — even when the agent is hallucinating, the mandate boundary holds. The pqsafe.pay.v1 skill brings this infrastructure to any OpenClaw-compatible agent without changing existing workflow logic.
Why now
Supply-chain reality, April 2026. The ClawHavoc attack proved that a compromised skill can run inside an agent with the agent's own credentials. 341–1,400+ malicious skills reached production ClawHub before detection; several targeted payment-adjacent integrations. A cryptographic spend mandate that the agent cannot bypass — verified at every before_tool_call hook invocation — is the correct architectural response: the agent cannot exceed its authorized envelope even if the skill itself is adversarial.
Standards convergence, April 28 2026. The FIDO Alliance Agentic Authentication TWG launched with Google's AP2 and Mastercard's Verifiable Intent as foundational contributions. pqsafe-pay aligns with the FIDO AP2-PQ profile: signed mandates with post-quantum algorithms, structured intent fields, and verifiable delegation chains — the same primitives AP2 specifies for agentic payment authorization.
Cryptographic deprecation timeline. NIST IR 8547 (initial public draft) proposes deprecation of 112-bit classical algorithms — including ECDSA P-256 — by 2030, with full disallowance by 2035. Payment authorization records committed to immutable audit ledgers in 2026 may still be within mandatory retention windows when cryptographically-relevant quantum computers arrive. That is not a theoretical future problem; it is a present design decision.
Retention windows. PSD2 Article 69 mandates payment authorization record retention for 5 years; HKMA Cap. 615 extends that to 7 years for Hong Kong-regulated institutions. Combined with the 2030 deprecation curve, any classically-signed authorization record created today could be within its legally mandated retention window when classical signature security becomes exploitable — creating retrospective signature forgery risk on long-lived financial records. OpenClaw agents that authorize payments today are creating exactly the category of record this concern targets.
Regulatory signal. HKMA's Quantum Preparedness Index (verified announcement, February 3, 2026) signals that post-quantum readiness has moved from research posture to regulatory expectation. Sumsub's 2025 Fraud Report documents 180% year-over-year growth in AI-assisted multi-step fraud — exactly the attack vector that mandate credentials must defend against. ML-DSA-65 signed SpendEnvelopes address both vectors: the long-lived record problem and the real-time authorization integrity problem.
What the skill exposes
The skill registers three operations under the pqsafe.pay.v1 namespace:
- create_envelope Issue a new SpendEnvelope. Accepts agent ID, payer ID, max amount, currency, rail, and expiry. Returns a signed envelope with a single-use nonce and an ML-DSA-65 signature over the JCS-canonical payload. The signing key never leaves the PQSafe key service.
- verify_envelope Verify a SpendEnvelope against the PQSafe public key registry and real-time revocation list. Confirms signature integrity, expiry, nonce uniqueness, and that the stated key ID is current. Returns a structured verification result with a canonical status code.
-
revoke_envelope
Revoke an issued SpendEnvelope before expiry. The envelope ID is appended to the real-time revocation list; subsequent
verify_envelopecalls will returnREVOKED. Revocation is append-only and timestamped in the audit log.
SpendEnvelope structure
The envelope is a JSON object signed in JCS-canonical form (RFC 8785) before the ML-DSA-65 signature is computed. All fields are included in the signed payload.
{
"id": "01HZ9K4PTXQ7V3M8RG0N5JCWEF",
"agentId": "agent_acme_expense_bot_v2",
"payerId": "payer_usr_0f3a91bc",
"maxAmount": "250.00",
"currency": "USD",
"rail": "airwallex",
"expiresAt": "2026-05-02T18:00:00Z",
"nonce": "a3f8c21d9b04e67f1c28d5a0b3e9f412c7d6a8e20b51f3c4d97e6a0b2c8d1e4f",
"signature": "eyJhbGciOiJNTC1EU0EtNjUiLCJraWQiOiJwcXNhZmUta2V5LTIwMjYtMDEifQ...",
"keyId": "pqsafe-key-2026-01"
}id — ULID (monotonically sortable, 26-character base32). maxAmount — decimal string, never floating-point. nonce — 32-byte hex (256-bit entropy). signature — base64url-encoded ML-DSA-65 signature (3,309 bytes). keyId — identifies the public key in the PQSafe registry used to produce this signature.
Quick start
Install the npm package and invoke create_envelope from any TypeScript agent:
import { OpenClawClient } from "@openclaw/sdk";
import "@pqsafe/openclaw"; // registers pqsafe.pay.v1
const claw = new OpenClawClient();
const envelope = await claw.invoke("pqsafe.pay.v1/create_envelope", {
agentId: "agent_my_bot_v1",
payerId: "payer_usr_abc123",
maxAmount: "100.00",
currency: "USD",
rail: "wise",
expiresAt: "2026-05-02T23:59:59Z",
});Supported rails
| Rail | Status | Currency |
|---|---|---|
| airwallex | LIVE sandbox | Multi-currency (real test transfers) |
| wise | LIVE sandbox | 40+ fiat currencies (real test transfers) |
| stripe | mock-ready | USD + 135 others |
| usdc-base | mock-ready | USDC |
| x402 | mock-ready | USDC + ETH |
LIVE sandbox = validated end-to-end with sandbox rails; real test transfers confirmed. Mock-ready = SpendEnvelope creation and verification are fully functional; live rail integration is in progress.
Security model
- HSM-backed signing keys — ML-DSA-65 private keys are generated and stored in hardware security modules; they never leave the PQSafe key service
- Single-use nonce — each envelope carries a 256-bit random nonce; replay attacks are rejected at the verify layer
- Expiry enforced in signed payload —
expiresAtis part of the signed content; an attacker cannot extend expiry without invalidating the signature - Real-time revocation list —
revoke_envelopeappends to a low-latency revocation list checked on everyverify_envelopecall - Append-only audit log — all create, verify, and revoke events are timestamped and written to an immutable audit log
- JCS-canonical signing — the payload is serialized in JSON Canonicalization Scheme form (RFC 8785) before signing, eliminating signature ambiguity from key ordering or whitespace variation
ML-DSA-65 parameters
| Parameter | Value |
|---|---|
| Standard | NIST FIPS 204 |
| Security level | NIST Level 3 |
| Public key size | 1,952 bytes |
| Secret key size | 4,032 bytes |
| Signature size | 3,309 bytes |
| Hardness assumption | Module-LWE + Module-SIS |
Get the skill
- skill.json descriptor — github.com/PQSafe/pqsafe/blob/main/plugins/openclaw-pqsafe/skill.json
-
npm package —
npm install @pqsafe/openclaw— npmjs.com/package/@pqsafe/openclaw - Source (Apache-2.0) — github.com/PQSafe/pqsafe/tree/main/plugins/openclaw-pqsafe