Skip to main content

OpenClaw Skill

The Conto skill for OpenClaw adds fine-grained spending policies to any AI agent. It checks every payment against 40+ policy rule types before money leaves the wallet.

How It Works

Agent wants to pay 50 pathUSD to 0xabc...
    |
    v
Skill calls POST /api/sdk/payments/approve
    |
    v
Conto evaluates all policy rules
    |
    +---> APPROVED: agent proceeds with payment
    +---> DENIED: agent stops, reports violations
    +---> REQUIRES_APPROVAL: agent pauses for human sign-off
Conto supports two wallet modes:
  • Integrated (PRIVY/SPONGE) — Your wallet provider holds the keys (Privy or Sponge, respectively). Conto evaluates policies and orchestrates execution through the provider. One API call handles policy check + execution.
  • External — Agent holds the keys. Agent calls approve, transfers itself, then confirms.
Both modes evaluate the same 40+ policy rule types.

Which endpoint do I call?

Mode A (Integrated)Mode B (External)
Custody typePRIVY or SPONGEEXTERNAL
Who holds keysWallet providerYour agent
EndpointPOST /api/sdk/payments/requestPOST /api/sdk/payments/approve
Calls per payment1 (with autoExecute: true)3 (approve → transfer → confirm)
Approval expiry5 minutes10 minutes
chainIdResolved from walletRequired in request body
Most OpenClaw agents use Mode B — the agent controls its wallet via MCP tools and Conto acts as the policy gate.

Install

Install from ClawHub: 
npx clawhub install conto
Or add the skill directly from the manifest: conto.finance/skill.md
Do not run npm install @conto/sdk. The OpenClaw skill uses conto-check.sh (installed by ClawHub) to call the Conto REST API directly. The @conto/sdk npm package is a separate TypeScript SDK for programmatic integrations and is not needed for OpenClaw.
After installing, run the setup command with your agent name and wallet address: 
conto-check.sh setup "my-agent" "0xYourWalletAddress" EVM 42431
This opens your browser for Conto login. After you approve, the agent is automatically provisioned with:
  • An agent record linked to your organization
  • Your wallet registered as EXTERNAL custody
  • Default spend limits (100/tx,100/tx, 500/day)
  • An SDK key written to ~/.openclaw/openclaw.json
To find your wallet address, ask your agent: What is my wallet address? Arguments:
ArgumentDefaultDescription
agent_name(required)Name for your agent
wallet_address(required)Your wallet address (0x… for EVM, base58 for Solana)
chain_typeEVMEVM or SOLANA
chain_id42431Chain ID. Common: 8453 (Base), 42431 (Tempo Testnet), 1 (Ethereum)
Verify it works: 
conto-check.sh budget
You can adjust spend limits, add policies, and manage your agent anytime in the Conto dashboard.

Manual Setup (Alternative)

If the browser setup doesn’t work, you can configure manually. This requires four steps:
  1. Connect your agent in Conto — Sign in to the Conto dashboard and connect your agent. This is how Conto knows which OpenClaw agent to track policies, spend limits, and transaction history for.
  2. Link your wallet — Tell Conto which wallet your agent will be sending payments from. You can use an existing wallet like the one connected to your OpenClaw, or create a new wallet with Privy or Sponge directly in Conto. See Find Your Wallet Address below.
  3. Generate an SDK key — This is the credential your OpenClaw agent uses to authenticate with Conto. You’ll add it to your OpenClaw config file.
  4. Add the SDK key to OpenClaw config — Save the key to ~/.openclaw/openclaw.json so the skill can authenticate with Conto.
The next sections walk through each of these steps.

Find Your Wallet Address

Conto needs to know which wallet your agent controls so it can track spend limits and verify onchain transfers. How you get your wallet address depends on your setup.

Option A: You already have a wallet (Sponge, AgentCash, etc.)

If your OpenClaw agent already has a wallet through an MCP server like Sponge, you can retrieve the address directly. Sponge MCP — Ask your agent or run the get_balance tool. The response includes your wallet addresses for each chain: 
> What are my wallet addresses?
The agent will return something like: 
Tempo:    0x1a2b3c4d5e6f...
Base:     0x1a2b3c4d5e6f...
Solana:   ABC123...
Copy the address for the chain you want to use (Tempo for testnet, Base or Solana for production). AgentCash — Use the list_accounts tool to see your wallet addresses across all supported networks.

Option B: Create a new wallet in Conto (Privy or Sponge)

If you don’t have an existing wallet, you can create one directly in the Conto dashboard:
  1. Go to the Conto dashboard
  2. Navigate to Wallets > Create Wallet
  3. Set custody type to PRIVY or SPONGE
  4. Select the chain (e.g. Tempo Testnet for testing)
  5. Click Provision — Conto creates the wallet onchain and shows you the address
With a Privy wallet, Privy holds the keys and Conto orchestrates execution through Privy after policy approval — no separate transfer step needed. With a Sponge wallet, Sponge holds the keys and Conto orchestrates through Sponge in the same way.

Option C: Use your own external wallet

If you have a wallet you manage yourself (hardware wallet, MetaMask, etc.), you can register its address in Conto as an EXTERNAL wallet. With external wallets, your agent handles the onchain transfer itself after Conto approves the payment. Which option should I pick?
SetupWho holds keysPayment flow
Existing OpenClaw walletYour MCP provider (e.g. Sponge)Agent calls approve → agent transfers via MCP → agent confirms
Privy (created in Conto)PrivyAgent calls approve → Conto orchestrates execution via Privy
Sponge (created in Conto)SpongeAgent calls approve → Conto orchestrates execution via Sponge
ExternalYouAgent calls approve → agent transfers itself → agent confirms
For most OpenClaw users with an existing wallet connected to their agent, register it as an EXTERNAL wallet in Conto. Your agent already has transfer tools through its MCP server — Conto just adds the policy layer on top.

Configure

1. Connect your agent in Conto

Sign in to the Conto dashboard and connect your agent. Give it a name and description that matches your OpenClaw agent. Go to Agents > your agent > Wallets > Link Wallet. Enter your wallet address (see Find Your Wallet Address above) and select the chain and custody type. Set initial spending limits for per-transaction, daily, and weekly caps.

3. Generate an SDK key

Go to Agents > your agent > SDK Keys > Generate New Key.
  • Select Standard for payment approval only
  • Select Admin if you want the agent to create/manage policies

4. Add to OpenClaw config

If you used conto-check.sh setup in Quick Setup, this file was created automatically and you can skip this step.
Edit ~/.openclaw/openclaw.json. If the file does not exist, create it with exactly this content (replace the key value with your actual SDK key): 
{
  "skills": {
    "entries": {
      "conto": {
        "env": {
          "CONTO_SDK_KEY": "conto_agent_your_key_here",
          "CONTO_API_URL": "https://conto.finance"
        }
      }
    }
  }
}
This file must be valid JSON. A missing comma, extra trailing comma, or mismatched brace will cause OpenClaw to fail on every command. If you see parse errors after editing this file, validate it with cat ~/.openclaw/openclaw.json | jq . or paste it into jsonlint.com.

Usage

Telegram / Discord / WhatsApp

/conto list my policies
/conto create a $200 per-transaction limit
Send 50 pathUSD to 0x742d... on Tempo

CLI

openclaw agent --agent main -m "/conto list my policies"
openclaw agent --agent main -m "Send 50 pathUSD to 0x742d... on Tempo"

Standard vs Admin SDK Keys

CapabilityStandardAdmin
Check payment policiesYesYes
Confirm paymentsYesYes
Pre-authorize x402 callsYesYes
Read policies and transactionsYesYes
Create/update/delete policiesNoYes
Manage agents and walletsNoYes

Create Policies from OpenClaw

With an admin SDK key, manage policies via natural language: 
/conto create a policy that limits each transaction to 200 pathUSD
/conto create a policy that only allows API_PROVIDER and CLOUD categories
/conto block address 0xbad... from receiving payments
/conto create a policy that requires approval for payments over 500 pathUSD
/conto list my policies
/conto delete the blocklist policy

Test Policies

After creating policies, verify enforcement: 
# Should approve (within limits)
/conto check if a 10 pathUSD payment to 0x742d... is allowed

# Should deny (over per-tx limit)
/conto check if a 500 pathUSD payment to 0x742d... is allowed

# Should deny (blocked address)
/conto check if a 1 pathUSD payment to 0xbad... is allowed

# Should deny (wrong category)
/conto check if a 10 pathUSD payment to 0x742d... for gambling is allowed

Supported Policy Types

TypeWhat it controls
MAX_AMOUNTPer-transaction cap
DAILY_LIMIT / WEEKLY_LIMIT / MONTHLY_LIMITCumulative spend caps
ALLOWED_CATEGORIES / BLOCKED_CATEGORIESCategory whitelist/blocklist
ALLOWED_COUNTERPARTIES / BLOCKED_COUNTERPARTIESAddress whitelist/blocklist
TIME_WINDOW / DAY_OF_WEEKBusiness hours, allowed days
BLACKOUT_PERIODMaintenance windows
VELOCITY_LIMITTransaction rate limiting
REQUIRE_APPROVAL_ABOVEHuman approval threshold
GEOGRAPHIC_RESTRICTIONCountry/OFAC restrictions
CONTRACT_ALLOWLISTDeFi contract restrictions
X402_PRICE_CEILINGMax per x402 API call
X402_ALLOWED_SERVICES / X402_BLOCKED_SERVICESx402 service allowlist/blocklist
X402_MAX_PER_SERVICEPer-service daily cap

End-to-End Example: Pay a Vendor on Tempo Testnet

This walkthrough sends a real payment through the full external-wallet flow: approve → transfer onchain → confirm back to Conto.

Prerequisites

  • Conto account (sign up) with your agent connected
  • Conto skill installed in OpenClaw (npx clawhub install conto)
  • SDK key (conto_agent_...) configured in openclaw.json
  • A wallet address (see Find Your Wallet Address)

Step 1 — Connect to Tempo Testnet

Tempo Testnet is where you’ll test payments before going to production. It uses pathUSD as its stablecoin and requires no gas token — transaction fees are paid in pathUSD itself, so you don’t need to acquire a separate token for gas.
DetailValue
NetworkTempo Testnet
Chain ID42431
CurrencypathUSD (TIP-20 stablecoin)
GasPaid in pathUSD (no separate gas token)
Explorerexplore.moderato.tempo.xyz

Step 2 — Get testnet funds

You need pathUSD in your wallet to test payments. There are a few ways to get testnet tokens: From the Conto dashboard (Privy wallets): If you created a Privy wallet in Conto, go to Wallets > your wallet and click the Faucet button. This deposits complimentary testnet pathUSD directly into your wallet. From the Tempo faucet: Visit the Tempo testnet faucet and enter your wallet address to receive testnet pathUSD. From your Sponge wallet (if applicable): If your agent uses a Sponge MCP wallet on Tempo testnet, check if you already have a balance: 
> What's my balance on Tempo?
If you need funds, you can swap or bridge tokens to Tempo using your Sponge tools, or use the Tempo faucet above with your Sponge wallet address. Verify you have funds before proceeding — you’ll need at least enough pathUSD to cover your test payment plus a small amount for transaction fees.

Step 3 — Register your wallet in Conto

Now connect your wallet to the agent you connected in the Conto dashboard:
  1. Go to Agents > your agent > Wallets
  2. Click Link Wallet
  3. Enter your wallet address and select:
    • Chain: Tempo Testnet (42431)
    • Custody type: EXTERNAL (if using Sponge or your own wallet) or PRIVY (if you created one in Conto)
  4. Set initial spending limits:
    • Per Transaction: 200 pathUSD
    • Daily: 1,000 pathUSD
    • Weekly: 5,000 pathUSD
  5. Click Link
These wallet-level limits act as a safety net on top of any policies you create.

Step 4 — Create a spending policy

/conto create a policy that limits each transaction to 200 pathUSD
The skill calls POST /api/sdk/policies and returns the policy ID. Verify it: 
/conto list my policies

Step 5 — Request a payment (approve)

Send 50 pathUSD to 0x742d35Cc6634C0532925a3b844Bc9e7595f2bD18 on Tempo
Behind the scenes the skill calls: 
curl -X POST https://conto.finance/api/sdk/payments/approve \
  -H "Authorization: Bearer $CONTO_SDK_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "amount": 50,
    "recipientAddress": "0x742d35Cc6634C0532925a3b844Bc9e7595f2bD18",
    "senderAddress": "0x1a2b3c4d5e6f...",
    "chainId": 42431,
    "purpose": "Vendor payment"
  }'
Conto evaluates every assigned policy. If approved, the response includes an approvalId and approvalToken.

Step 6 — Transfer onchain

Because this is an external wallet, the agent transfers pathUSD itself using its own keys. The skill handles this automatically — you don’t need to do anything extra.

Step 7 — Confirm back to Conto

After the onchain transfer succeeds, the skill reports the transaction hash: 
curl -X POST https://conto.finance/api/sdk/payments/APPROVAL_ID/confirm \
  -H "Authorization: Bearer $CONTO_SDK_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "txHash": "0xabc123...",
    "approvalToken": "a1b2c3d4..."
  }'
The approvalToken is the token from the Step 5 approval response. Conto records the payment, updates spend counters, and the transaction appears in the dashboard.

Step 8 — Verify the result

/conto show my recent transactions
Or check the Conto dashboard under Transactions — you’ll see the confirmed payment with its explorer link.

What happens if a policy blocks the payment?

Try exceeding the limit: 
Send 300 pathUSD to 0x742d35Cc6634C0532925a3b844Bc9e7595f2bD18 on Tempo
The skill returns a denial with the specific violation. No onchain transfer occurs. The denied attempt appears under Alerts in the dashboard. The denial response looks like this: 
{
  "approved": false,
  "reasons": ["Amount 300 exceeds maximum of 200 per transaction"],
  "violations": [
    {
      "type": "PER_TX_LIMIT",
      "limit": 200,
      "current": 300,
      "message": "Amount 300 exceeds maximum of 200 per transaction"
    }
  ],
  "requiresHumanApproval": false
}
Common violation types: PER_TX_LIMIT, DAILY_LIMIT, WEEKLY_LIMIT, MONTHLY_LIMIT, BLOCKED_COUNTERPARTY, TIME_WINDOW, CATEGORY_RESTRICTION, VELOCITY_LIMIT. See the Advanced Policies page for the full list.

Verify in Dashboard

After running payments through the skill, check the Conto dashboard:
  • Transactions — confirmed payments with tx hashes and explorer links
  • Alerts — denied payment attempts with violation details
  • Agents — spend tracking (daily/weekly/monthly used)

Run the E2E Test

For automated testing against a local Conto instance: 
# Terminal 1
npm run dev

# Terminal 2
npx tsx scripts/test-openclaw-skill.ts
This creates an isolated test agent with 4 policies, runs 10 tests verifying each policy type, and cleans up afterward.

Rate Limits

Endpoint typeLimit
Payment endpoints (/approve, /request, /execute, /confirm)60 requests/min per agent
Read endpoints (/wallets, /policies, /transactions, etc.)120 requests/min per agent
When rate limited, the API returns 429 with a Retry-After header. The skill handles retries automatically.

Troubleshooting

Verify CONTO_API_URL in openclaw.json is correct. For the hosted platform, use https://conto.finance. For local development, use http://localhost:3006. Test connectivity:
curl https://conto.finance/api/sdk/setup \
  -H "Authorization: Bearer $CONTO_SDK_KEY"
If you get a valid JSON response, the URL is reachable.
SDK keys are scoped to a single agent. Check that:
  • The key starts with conto_agent_ (not conto_org_)
  • The key hasn’t been revoked in the dashboard under Agents > SDK Keys
  • You’re using the correct key for the correct agent
Generate a new key if needed: Agents > your agent > SDK Keys > Generate New Key.
The denial response includes a violations array listing every rule that failed. Common causes:
  • Spend limit exceeded — check daily/weekly/monthly counters in the dashboard under Agents > Spend Tracking
  • Counterparty not on allowlist — if you have an ALLOWED_COUNTERPARTIES policy, the recipient must be listed
  • Outside time windowTIME_WINDOW and DAY_OF_WEEK rules use the timezone set on the policy
  • Category mismatch — if ALLOWED_CATEGORIES is set and no category is provided in the request, the rule is skipped (not denied). But if BLOCKED_CATEGORIES matches, it denies.
Use the dry-run check to debug without attempting a real payment:
/conto check if a 50 pathUSD payment to 0x742d... is allowed
In external wallet mode, Conto only enforces policy — the agent must transfer funds itself. If the approve call succeeds but no transfer happens:
  • Check the agent has enough pathUSD in its wallet
  • Check the OpenClaw agent logs for transfer errors
  • Ensure the wallet address registered in Conto matches the agent’s actual wallet
If the transfer succeeded but Conto doesn’t show it, the confirm call may have failed. Retry:
curl -X POST https://conto.finance/api/sdk/payments/APPROVAL_ID/confirm \
  -H "Authorization: Bearer $CONTO_SDK_KEY" \
  -H "Content-Type: application/json" \
  -d '{"txHash": "0x...", "approvalToken": "a1b2c3d4..."}'
Policy management requires an Admin SDK key. Standard keys can only read policies and approve/confirm payments. Check the key type in the dashboard under Agents > SDK Keys — the scope column shows standard or admin.
The @conto/sdk npm package is not used by the OpenClaw skill. The skill communicates with Conto through conto-check.sh, which calls the REST API using curl. To install the skill, run:
npx clawhub install conto
Then follow the Quick Setup steps above.
If OpenClaw throws parse errors or every command fails after you manually edited ~/.openclaw/openclaw.json, the file likely has a JSON syntax error. Common mistakes:
  • Trailing comma after the last key-value pair
  • Missing comma between key-value pairs
  • Mismatched braces or brackets
  • Placeholder text like your_key_here not replaced with an actual key
Validate the file:
cat ~/.openclaw/openclaw.json | jq .
If jq reports an error, fix the JSON or delete the file and re-run setup:
rm ~/.openclaw/openclaw.json
conto-check.sh setup "my-agent" "0xMyWalletAddress" EVM 42431
The setup command writes a correctly formatted file automatically.
Policies must be assigned to the agent. Creating a policy alone doesn’t activate it. Assign via the dashboard (Policies > Assign to Agent) or via the API:
curl -X POST https://conto.finance/api/agents/AGENT_ID/policies \
  -H "Authorization: Bearer $CONTO_ORG_KEY" \
  -H "Content-Type: application/json" \
  -d '{"policyId": "POLICY_ID"}'
Also verify the policy status is ACTIVE (not DRAFT or DISABLED).