feat: add corbits — paid API marketplace with x402 micropayments

[tonyagents]

New Skill

Skill name: skills/corbits/

Description: Paid API marketplace for AI agents via Corbits. Search premium API proxies, call them with automatic USDC micropayments (x402), and fund the payment wallet with MoonPay.

Primary chain: Ethereum / Polygon (EVM)
Primary token: USDC

Checklist

• skills/corbits/SKILL.md with YAML frontmatter (name, description)
• Skill added to .claude-plugin/marketplace.json
• Description is specific about when Claude should trigger this skill

What it does

Corbits is a discovery and proxy platform for premium APIs — crypto prices, weather, financial data, and more. Agents call APIs with automatic per-request USDC micropayments via the x402 protocol, powered by the @faremeter/rides TypeScript SDK.

• /corbits search <topic> — find matching API proxies
• /corbits list — browse endpoints with USDC pricing
• /corbits call — select endpoint, review cost, confirm, execute (payment auto-deducted)

MoonPay Integration

The key integration point: your MoonPay wallet IS your Corbits payment wallet — same EVM address, same private key.

1. mp wallet create --name "corbits-agent" — create the payment wallet
2. mp buy --token usdc_ethereum --amount 50 ... — fund with USDC
3. mp wallet export --wallet "corbits-agent" — export EVM private key
4. /corbits init — paste key, Corbits stores it and scaffolds @faremeter/rides
5. Every /corbits call auto-debits USDC from the MoonPay wallet — no separate signing step

Also includes an auto top-up snippet for long-running agent pipelines that checks balance and bridges USDC from Polygon when it drops below a threshold.

Example Usage

/corbits search "crypto prices"
/corbits list
/corbits call
# → GET /prices/latest | Cost: 0.001 USDC | Confirm: y
# → { "BTC": 67420.00, "ETH": 3540.00, ... }

[kevarifin14]

PR Review: skills/corbits — Paid API Marketplace

Overall this is a well-structured skill with good MoonPay integration coverage. However, there are several issues ranging from naming convention violations to questionable references that need to be addressed before merging.

---

1. NAMING CONVENTION VIOLATION (Blocking)

The skill directory is skills/corbits/ but per CLAUDE.md, partner skills must follow the pattern skills/{partner}-{name}/. The PR template itself even gives the example corbits-marketplace. This should be renamed to something like:

• skills/corbits-marketplace/
• skills/corbits-api-marketplace/

The name field in the frontmatter (name: corbits) should also be updated to match (e.g., corbits-marketplace).

The marketplace.json entry (./skills/corbits) needs to be updated accordingly.

---

2. MARKETPLACE.JSON — Unrelated Change (Minor)

The PR sneaks in a character change on an unrelated line — replacing a hyphen-minus (—) with an em dash (—) in the top-level plugin description. This is a cosmetic change unrelated to the skill being added and should not be bundled here. Please revert this line.

---

3. REFERENCED SKILLS DO NOT EXIST (Blocking)

The "Related Skills" section references two skills that do not exist in this repository:

• moonpay-x402 — This one exists. Good.
• moonpay-check-wallet — This one exists. Good.
• moonpay-budget-agent — Does not exist. There is no skills/moonpay-budget-agent/ directory. Remove this reference or replace it with an actually existing skill.
• moonpay-swap-tokens — This one exists. Good.

---

4. REFERENCES TO UNVERIFIABLE EXTERNAL TOOLING

The skill references several things that raise trust concerns:

• npx clawhub@latest install corbits — Is clawhub a real, published npm package? This is used as the installation mechanism but there is no explanation of what it is, and it is not mentioned anywhere else in this repo. If this is not a real package, it must be removed. If it is real, it should be briefly explained.

• @faremeter/rides — Referenced as the payment SDK multiple times. Is this a real npm package? The name is unusual for a payments library. If this is a real dependency, it needs a link or brief explanation. If fabricated, all references must be removed.

• /corbits slash commands — The skill references /corbits init, /corbits search, /corbits list, /corbits call, /corbits status. How are these commands actually made available? Through clawhub? This needs clarification. A skill should be explicit about where commands come from.

---

5. PRIVATE KEY HANDLING — SECURITY CONCERN

The workflow instructs the user to:

1. Export a private key via mp wallet export
2. Copy-paste it into /corbits init
3. Corbits stores it "in macOS Keychain or ~/.config/corbits/"

This is a significant security concern that deserves a warning or callout. Exporting and pasting a private key into a third-party tool should come with an explicit security note. The skill should recommend using a dedicated wallet with limited funds, not a primary wallet. A brief "Security" section would be appropriate.

---

6. HARDCODED TOKEN ADDRESSES

The skill hardcodes USDC contract addresses:

• 0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48 (Ethereum USDC)
• 0x2791Bca1f2de4661ED88A30C99A7a9449Aa84174 (Polygon USDC.e — note this is the bridged USDC.e, not native USDC on Polygon which is 0x3c499c542cEF5E3811e1192ce70d8cC03d5c3359)

The Polygon address is specifically for USDC.e (bridged), which is being deprecated in favor of native USDC. This should be called out or updated. At minimum, label it clearly in the bridge command and token address table.

---

7. DESCRIPTION QUALITY (Minor)

The description field in frontmatter is actually quite good — it specifies the "when" trigger clearly: "Use when the user wants to access paid data APIs (crypto prices, weather, financial data, etc.) with per-request billing and no API key management." This passes the bar.

---

8. CONTENT QUALITY — MOSTLY GOOD, BUT HEAVY ON FUNDING

The skill is thorough, but roughly 50% of the content is about funding the wallet (Buy USDC, Swap, Bank Transfer, Deposit Link, Auto Top-Up). While some funding info is useful, this duplicates content that already exists in moonpay-buy-crypto, moonpay-swap-tokens, moonpay-deposit, and moonpay-virtual-account. Consider trimming the funding section to a brief summary with cross-references to those skills instead of reproducing their workflows.

---

9. PR TEMPLATE ADHERENCE

The PR body follows the template structure reasonably well. However, the skill name in the PR body is listed as skills/corbits/ while the template example shows skills/{partner}-{name}/ (e.g., corbits-marketplace). The author even filled in the checklist, which is appreciated — but the naming issue noted in point 1 should have been caught here.

---

Summary of Required Changes

#	Issue	Severity
1	Rename skills/corbits/ to skills/corbits-marketplace/ (or similar)	Blocking
2	Revert unrelated em dash change in marketplace.json	Minor
3	Remove reference to nonexistent moonpay-budget-agent skill	Blocking
4	Verify clawhub and @faremeter/rides are real packages; clarify or remove	Blocking
5	Add security warning about private key export to third-party tool	Important
6	Fix/clarify Polygon USDC.e vs native USDC address	Important
8	Trim funding section; cross-reference existing skills instead of duplicating	Suggested

[kevarifin14]

Grade: B-

Solid concept (x402 micropayment marketplace). Naming violation (corbits/ → corbits-marketplace/), phantom moonpay-budget-agent skill reference, unverifiable clawhub/@faremeter/rides tooling, and ~50% of content duplicates existing wallet/funding skills instead of cross-referencing. Security warning needed for private key export to third-party tools.

[kevarifin14]

Re-review after fixes (3 new commits)

Issues addressed:

• ✅ Renamed skills/corbits/ → skills/corbits-marketplace/
• ✅ Phantom moonpay-budget-agent reference removed — Related Skills now reference real skills only

Verification results:

• @faremeter/rides — confirmed real (npm, v0.17.1, 7 versions, LGPL-3.0)
• clawhub — confirmed real (npm, v0.8.0)
• https://api.corbits.dev — unverified (private API, can't confirm without credentials). Noted as unverified, not flagged as fabricated.

Updated grade: B+

To get to A+, fix these:

1. marketplace.json placement — Move out of the moonpay-skills array into its own plugin block:

{
  "name": "corbits-skills",
  "description": "Paid API marketplace with x402 micropayments via Corbits",
  "source": "./",
  "strict": false,
  "skills": [
    "./skills/corbits-marketplace"
  ]
}

2. Unrelated diff — Drop the em-dash change in the existing moonpay-skills description.
3. Security warning for private key export — The skill has the agent export a private key and pass it to corbits init. Add a prominent warning about the risk of sharing private keys with third-party tools.

[kevarifin14]

Re-review: Grade A-

Issues fixed:

• ✅ Own corbits-skills plugin block in marketplace.json
• ✅ Em-dash diff clean

Verified: @faremeter/rides (npm v0.17.1, real), clawhub (npm v0.8.0, real). api.corbits.dev unverified (private API — noted, not flagged).

One remaining issue for A+:

• Security warning for private key export — The skill has mp wallet export → paste into corbits init. Add a warning:

⚠️ Security: Exporting your private key to a third-party tool carries risk. Use a dedicated wallet with limited funds. Never commit private keys to version control.

Add that and this is A+.

[kevarifin14]

Grade: A+

All issues resolved:

• ✅ Own corbits-skills plugin block
• ✅ Em-dash diff clean
• ✅ Security warning added for private key export — covers full wallet access risk, never commit, dedicated low-balance wallet

Verified: @faremeter/rides (npm v0.17.1), clawhub (npm v0.8.0), api.corbits.dev (unverified private API — noted, not flagged).

Ready to merge.

[kevarifin14]

Approved as A+, but there's a merge conflict in marketplace.json from PRs #8 and #9 being merged. Please rebase on main to resolve and I'll merge immediately.