# Send Soho to your agent
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
## Fast path
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
## Suggested prompts
### New install

```text
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.
```
### Upgrade existing

```text
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.
```
## Machine-readable fields
```json
{
  "schemaVersion": "1.0",
  "item": {
    "slug": "soho-pay",
    "name": "Soho",
    "source": "tencent",
    "type": "skill",
    "category": "开发工具",
    "sourceUrl": "https://clawhub.ai/max-clinch/soho-pay",
    "canonicalUrl": "https://clawhub.ai/max-clinch/soho-pay",
    "targetPlatform": "OpenClaw"
  },
  "install": {
    "downloadUrl": "/downloads/soho-pay",
    "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=soho-pay",
    "sourcePlatform": "tencent",
    "targetPlatform": "OpenClaw",
    "packageFormat": "ZIP package",
    "primaryDoc": "SKILL.md",
    "includedAssets": [
      "package.json",
      "skill.json",
      "SKILL.md",
      "_meta.json",
      "src/pay.js",
      "src/signer/config.js"
    ],
    "downloadMode": "redirect",
    "sourceHealth": {
      "source": "tencent",
      "slug": "soho-pay",
      "status": "healthy",
      "reason": "direct_download_ok",
      "recommendedAction": "download",
      "checkedAt": "2026-05-09T06:15:02.919Z",
      "expiresAt": "2026-05-16T06:15:02.919Z",
      "httpStatus": 200,
      "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=soho-pay",
      "contentType": "application/zip",
      "probeMethod": "head",
      "details": {
        "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=soho-pay",
        "contentDisposition": "attachment; filename=\"soho-pay-2.0.0.zip\"",
        "redirectLocation": null,
        "bodySnippet": null,
        "slug": "soho-pay"
      },
      "scope": "item",
      "summary": "Item download looks usable.",
      "detail": "Yavira can redirect you to the upstream package for this item.",
      "primaryActionLabel": "Download for OpenClaw",
      "primaryActionHref": "/downloads/soho-pay"
    },
    "validation": {
      "installChecklist": [
        "Use the Yavira download entry.",
        "Review SKILL.md after the package is downloaded.",
        "Confirm the extracted package contains the expected setup assets."
      ],
      "postInstallChecks": [
        "Confirm the extracted package includes the expected docs or setup files.",
        "Validate the skill or prompts are available in your target agent workspace.",
        "Capture any manual follow-up steps the agent could not complete."
      ]
    }
  },
  "links": {
    "detailUrl": "https://openagent3.xyz/skills/soho-pay",
    "downloadUrl": "https://openagent3.xyz/downloads/soho-pay",
    "agentUrl": "https://openagent3.xyz/skills/soho-pay/agent",
    "manifestUrl": "https://openagent3.xyz/skills/soho-pay/agent.json",
    "briefUrl": "https://openagent3.xyz/skills/soho-pay/agent.md"
  }
}
```
## Documentation

### SOHO Pay — Credit Layer Payments

This skill orchestrates payments through the SOHO Pay Creditor smart contract using the spendWithAuthorization EIP-712 flow.

This skill is manual-invocation only. It must not be triggered autonomously by a model. Every invocation requires explicit user confirmation.

### Architecture — Three-Party Separation

┌──────────────────┐     ┌──────────────────┐     ┌──────────────────┐
│  Wallet Signer   │     │   SoHo (Credit)  │     │   Blockchain     │
│  (user/operator) │     │                  │     │   (Base)         │
│                  │     │  Credit checks   │     │                  │
│  Signs EIP-712   │────▶│  JIT funding     │────▶│  Settlement      │
│  Owns keys       │     │  Authorization   │     │  Creditor.sol    │
│                  │     │                  │     │                  │
│  MPC / HSM /     │     │  NEVER signs     │     │                  │
│  Turnkey / Privy │     │  NEVER holds keys│     │                  │
└──────────────────┘     └──────────────────┘     └──────────────────┘

SoHo is a credit layer only. It does not custody, hold, generate, or control any signing keys or key shards, and it does not produce EIP-712 signatures.

All EIP-712 signatures come from a separate Wallet Signer owned and controlled by the user or agent operator (e.g., MPC provider like Turnkey/Privy/Fireblocks, or a user wallet).

The skill orchestrates between:

Wallet Signer — signing (user/operator-controlled)
SoHo — credit checks + just-in-time funding (credit layer only)
Blockchain — settlement

### Usage

node scripts/pay.js <amount> <merchantAddress> [payerAddress]

ArgumentDescriptionamountDecimal USDC value (e.g. 10, 0.5)merchantAddressExplicit 0x-prefixed EVM address (checksummed). Never a name.payerAddressRequired when SIGNER_PROVIDER=WALLET_SIGNER_REMOTE

### Example — Base Sepolia with local key (dev only)

export RPC_URL=https://sepolia.base.org
export CHAIN_ID=84532
export SIGNER_PROVIDER=LOCAL_PRIVATE_KEY
export SOHO_DEV_PRIVATE_KEY=0xabc...

node scripts/pay.js 10 0x1234567890abcdef1234567890abcdef12345678

### Example — Base Sepolia with remote wallet signer (production pattern)

export RPC_URL=https://sepolia.base.org
export CHAIN_ID=84532
export SIGNER_PROVIDER=WALLET_SIGNER_REMOTE
export WALLET_SIGNER_SERVICE_URL=https://your-mpc-signer.example.com
export SIGNER_SERVICE_AUTH_TOKEN=sk_live_...

node scripts/pay.js 10 0xMERCHANT... 0xPAYER...

### Workflow

Validate config — all env vars checked with Zod at startup; unknown chains rejected.
Parse inputs — amount and explicit merchant address (no name-to-address generation).
Pre-flight credit checks — SoHo credit layer verifies borrower registration, active status, credit limit.
Sign EIP-712 — Wallet Signer (user-controlled) produces signature. SoHo never signs.
Submit tx — call spendWithAuthorization on the Creditor contract.
Return result — transaction hash + block number.

### Supported Networks

NetworkChain IDStatusBase Sepolia84532SupportedBase Mainnet8453Requires SOHO_MAINNET_CONFIRM=YES

Unknown chain IDs are rejected at config validation time.

### Contract Addresses (Base Sepolia)

ContractAddressCreditor0x1867a19816f38ec31ec3af1be15fd7104f161978Borrower Manager0x76e51158015e869ab2875fa17b87383d8886e93cUSDC (test)0x55b8ff660d4f0f176de84f325d39a773a7a3bda7

### Key Custody Boundary

EntityRoleHolds keys?Wallet SignerProduces EIP-712 signaturesYes — user/operator-controlledSoHoCredit authorization + JIT fundingNo — credit layer onlyThis skillOrchestration between the aboveNo — passes typed data to signer

SoHo must NEVER custody, hold, generate, or control any signing keys or key shards.

### Wallet Signer Providers

ProviderWhen to useRisk levelWALLET_SIGNER_REMOTEProduction / MainnetLow — keys stay in user's MPC/HSM (Turnkey, Privy, Fireblocks, etc.)LOCAL_PRIVATE_KEYDev / Testnet onlyHigh — raw key in env

Default and recommended: WALLET_SIGNER_REMOTE. The skill sends EIP-712 typed data to the user's wallet signing service and never touches private keys.
Dev-only fallback: LOCAL_PRIVATE_KEY is gated to testnet chain IDs. Using it on mainnet requires DEV_ALLOW_LOCAL_KEY=YES and is strongly discouraged.

### Mainnet Safety Gate

Transactions on Base Mainnet (CHAIN_ID=8453) are refused unless SOHO_MAINNET_CONFIRM=YES is set. This prevents accidental mainnet spends during development.

### Recipient Address Policy

The skill never derives or generates an address from a merchant name. The merchantAddress argument must be an explicit, valid, checksummed EVM address. Any non-address input is rejected with an error.

### Invocation Policy

invocation: manual — the skill cannot be triggered autonomously.
require_confirmation: true — the orchestrator must obtain user confirmation before execution.
A runtime guard rejects execution if SOHO_AUTONOMOUS=true is detected in the environment.

### Threat Model & Mitigations

ThreatMitigationSigner compromiseDefault to WALLET_SIGNER_REMOTE (MPC/HSM); keys never leave the user's signing service. Local key gated to testnet only.Replay attacksRandom 32-byte nonce per transaction; validAfter / expiry window (10 min). On-chain nonce check in Creditor contract.Wrong merchant addressAddress generation from names removed. Only explicit checksummed EVM addresses accepted; checksum validated before signing.Accidental mainnet transactionSOHO_MAINNET_CONFIRM=YES safety gate required for chain ID 8453.Autonomous invocation with signing authorityinvocation: manual in metadata; require_confirmation: true; runtime guard blocks SOHO_AUTONOMOUS=true.SoHo used as signerArchitecture enforces SoHo = credit-only. No signing key env vars reference SoHo as a signer. Skill never passes keys to SoHo API.Undeclared env var dependenciesAll env vars declared in skill.json with types and sensitivity flags.MITM on wallet signer serviceUse HTTPS for WALLET_SIGNER_SERVICE_URL; bearer token auth via SIGNER_SERVICE_AUTH_TOKEN.

### Required (all modes)

VariableExampleDescriptionRPC_URLhttps://sepolia.base.orgJSON-RPC endpointCHAIN_ID8453284532 (Sepolia) or 8453 (Mainnet)SIGNER_PROVIDERWALLET_SIGNER_REMOTEWALLET_SIGNER_REMOTE or LOCAL_PRIVATE_KEY

### Required for WALLET_SIGNER_REMOTE

VariableDescriptionSensitiveWALLET_SIGNER_SERVICE_URLBase URL of user/operator's wallet signing serviceNoSIGNER_SERVICE_AUTH_TOKENBearer auth token for the wallet signing serviceYes

### SoHo Credit Layer

VariableDescriptionSensitiveSOHO_API_URLSoHo credit-layer API (credit checks, JIT funding)No

### Required for LOCAL_PRIVATE_KEY (dev / testnet only)

VariableDescriptionSensitiveSOHO_DEV_PRIVATE_KEYUser/operator's raw hex private key (NOT a SoHo key)Yes

### Conditional

VariableWhen requiredSOHO_MAINNET_CONFIRMMust be YES when CHAIN_ID=8453DEV_ALLOW_LOCAL_KEYSet YES to allow local key on non-testnet (dangerous)

### Dependencies

Install with:

npm install

PackagePurposeethersEVM interactions, EIP-712 signingdotenvLoad .env fileszodEnv var validation at startup
## Trust
- Source: tencent
- Verification: Indexed source record
- Publisher: max-clinch
- Version: 2.0.0
## Source health
- Status: healthy
- Item download looks usable.
- Yavira can redirect you to the upstream package for this item.
- Health scope: item
- Reason: direct_download_ok
- Checked at: 2026-05-09T06:15:02.919Z
- Expires at: 2026-05-16T06:15:02.919Z
- Recommended action: Download for OpenClaw
## Links
- [Detail page](https://openagent3.xyz/skills/soho-pay)
- [Send to Agent page](https://openagent3.xyz/skills/soho-pay/agent)
- [JSON manifest](https://openagent3.xyz/skills/soho-pay/agent.json)
- [Markdown brief](https://openagent3.xyz/skills/soho-pay/agent.md)
- [Download page](https://openagent3.xyz/downloads/soho-pay)