Skip to main content

Agent Skills

The Conto skill adds spending-policy enforcement to any AI agent built on OpenClaw or Nous Hermes. It checks every payment against 40+ policy rule types before money leaves the wallet. Both frameworks use the same wrapper script (conto-check.sh) and the same Conto REST API. Only the install command and the config file location differ.
In the examples below, pathUSD refers to Tempo Testnet. For production wallets on Tempo Mainnet, use USDC.e.

How it works

Agent wants to pay 50 pathUSD to 0xabc...
    |
    v
Skill calls POST /api/sdk/payments/approve
    |
    v
Conto evaluates all policy rules
    |
    +---> APPROVED: agent proceeds with payment
    +---> DENIED: agent stops, reports violations
    +---> REQUIRES_APPROVAL: agent pauses for human sign-off
    +---> VERIFICATION_REQUIRED: human completes AgentScore identity step-up, then Conto resumes
Conto supports two wallet modes:
  • Integrated (PRIVY/SPONGE). Your wallet provider holds the keys. Conto evaluates policies and orchestrates execution through the provider.
  • External. Agent holds the keys. Agent calls approve, transfers itself, then confirms.
Both modes evaluate the same rule set.

Which endpoint do I call?

Integrated (PRIVY/SPONGE)External
Custody typePRIVY or SPONGEEXTERNAL
Who holds keysWallet providerYour agent
EndpointPOST /api/sdk/payments/requestPOST /api/sdk/payments/approve
Calls per payment1 (with autoExecute: true and payments:execute)3 (approve, transfer, confirm)
Approval expiry5 minutes10 minutes
chainIdResolved from walletRequired in request body
Most skill users register an existing wallet (e.g. through an MCP server like Sponge) as EXTERNAL and let Conto act as the policy gate. If you enable AgentScore-backed merchant gating, the integrated flow can also return VERIFICATION_REQUIRED before execution. In that case the human verifies identity through the provided URL, Conto re-runs policy evaluation with the merchant compliance result, and then the payment proceeds or fails normally.
The default Standard SDK key preset is request/read-only. For the end-to-end payment flows in this guide, use an Admin SDK key or another key that explicitly includes the required payment scopes such as payments:execute, payments:approve, and payments:confirm.

Install

Requirements: conto-check.sh uses curl, jq, and python3. Install jq via your package manager if missing (brew install jq, apt install jq). python3 runs a short-lived localhost callback server during browser auth.
Install from ClawHub:
npx clawhub install conto
Or add the skill directly from the manifest: conto.finance/skill.md.
Do not run npm install @conto/sdk. The OpenClaw skill uses conto-check.sh (installed by ClawHub) to call the Conto REST API directly. The @conto/sdk npm package is a separate TypeScript SDK and is not needed here.

Quick setup

After installing, run setup with your agent name and wallet address: 
conto-check.sh setup "my-agent" "0xYourWalletAddress" EVM 42431
This opens your browser for Conto login. After you approve, the agent is automatically provisioned with:
  • An agent record linked to your organization
  • Your wallet registered as EXTERNAL custody
  • Default spend limits (100/tx,100/tx, 500/day)
  • An SDK key written to the framework’s config file (see below)
ArgumentDefaultDescription
agent_namerequiredName for your agent
wallet_addressrequiredYour wallet address (0x... for EVM, base58 for Solana)
chain_typeEVMEVM or SOLANA
chain_id42431Common: 8453 (Base), 42431 (Tempo Testnet), 1 (Ethereum)
Verify it works: 
conto-check.sh budget
You can adjust spend limits, add policies, and manage the agent in the Conto dashboard.

Config file locations

The skill writes the SDK key to a framework-specific path:
~/.openclaw/openclaw.json:
{
  "skills": {
    "entries": {
      "conto": {
        "env": {
          "CONTO_API_KEY": "conto_agent_your_key_here",
          "CONTO_API_URL": "https://conto.finance"
        }
      }
    }
  }
}
This must be valid JSON. Trailing commas or missing braces will make every OpenClaw command fail. Validate with cat ~/.openclaw/openclaw.json | jq ..

Manual setup

If browser-based setup doesn’t work, configure manually:
  1. Connect your agent in Conto. Sign in to the Conto dashboard and create the agent record.
  2. Link your wallet. Go to Agents > your agent > Wallets > Link Wallet. Enter the address and chain. Set initial spending limits.
  3. Generate an SDK key. Go to Agents > your agent > SDK Keys > Generate New Key. Pick Admin if you want the skill to execute payments, approve external-wallet transfers, or manage policies. Pick Standard only for request/read-only evaluation or if you already have a custom-scoped standard key with the payment scopes this skill needs.
  4. Save the key to the config path for your framework (above).

Finding your wallet address

How you obtain a wallet address depends on your setup. Existing MCP wallet (Sponge, AgentCash). Ask your agent or run the get_balance / list_accounts tool. Copy the address for the chain you want to use. Create a wallet in Conto. Dashboard > Wallets > Create Wallet > pick PRIVY or SPONGE custody > select chain > Provision. Conto creates the wallet onchain and shows the address. Your own external wallet (hardware, MetaMask, etc.). Register the address in Conto as EXTERNAL custody. Your agent handles the onchain transfer itself.
EXTERNAL custody keeps full key control in your wallet stack. Conto can approve, deny, record, and alert on payments routed through Conto, but it cannot cryptographically block a direct transfer signed outside Conto.

Usage

/conto list my policies
/conto create a $200 per-transaction limit
Send 50 pathUSD to 0x742d... on Tempo
CLI (OpenClaw example): 
openclaw agent --agent main -m "Send 50 pathUSD to 0x742d... on Tempo"

Standard vs Admin SDK keys

CapabilityStandardAdmin
Request policy evaluationYesYes
Execute approved paymentsNoYes
Approve / confirm paymentsNoYes
Pre-authorize x402 callsYesYes
Create merchant acceptance gatesNoYes
Read policies and transactionsYesYes
Create/update/delete policiesNoYes
Manage agents and walletsNoYes
With an admin key, manage policies through natural language: 
/conto create a policy that limits each transaction to 200 pathUSD
/conto create a policy that only allows API_PROVIDER and CLOUD categories
/conto block address 0xbad... from receiving payments
/conto create a policy that requires approval for payments over 500 pathUSD
/conto delete the blocklist policy

Supported policy types

TypeWhat it controls
MAX_AMOUNTPer-transaction cap
DAILY_LIMIT / WEEKLY_LIMIT / MONTHLY_LIMITCumulative spend caps
ALLOWED_CATEGORIES / BLOCKED_CATEGORIESCategory allowlist/blocklist
ALLOWED_COUNTERPARTIES / BLOCKED_COUNTERPARTIESAddress allowlist/blocklist
TIME_WINDOW / DAY_OF_WEEKBusiness hours, allowed days
BLACKOUT_PERIODMaintenance windows
VELOCITY_LIMITTransaction rate limiting
REQUIRE_APPROVAL_ABOVEHuman approval threshold
GEOGRAPHIC_RESTRICTIONCountry / OFAC restrictions
CONTRACT_ALLOWLISTDeFi contract restrictions
X402_PRICE_CEILINGMax per x402 API call
X402_ALLOWED_SERVICES / X402_BLOCKED_SERVICESx402 service allowlist/blocklist
X402_MAX_PER_SERVICEPer-service daily cap
See Policy overview for the full canonical rule-type list.

End-to-end example: pay a vendor on Tempo Testnet

This walks the full external-wallet flow: approve, transfer onchain, confirm back to Conto.

Prerequisites

Step 1. Tempo Testnet details

DetailValue
NetworkTempo Testnet
Chain ID42431
CurrencypathUSD (TIP-20 stablecoin)
GasPaid in pathUSD (no separate gas token)
Explorerexplore.moderato.tempo.xyz

Step 2. Get testnet funds

  • Conto Privy wallets: dashboard Wallets > your wallet > Faucet.
  • Tempo faucet: faucet.tempo.network.
  • Sponge MCP wallets: ask your agent for the balance and swap or bridge if needed.
You need enough pathUSD to cover the test payment plus a small amount for fees.

Step 3. Register the wallet in Conto

Dashboard > Agents > your agent > Wallets > Link Wallet. Set:
  • Chain: Tempo Testnet (42431)
  • Custody type: EXTERNAL (or PRIVY if you created one in Conto)
  • Per Transaction: 200 pathUSD
  • Daily: 1,000 pathUSD
  • Weekly: 5,000 pathUSD
Wallet-level limits act as a safety net on top of any policy you assign.

Step 4. Create a policy

/conto create a policy that limits each transaction to 200 pathUSD
The skill calls POST /api/sdk/policies and returns the policy ID. Verify: 
/conto list my policies

Step 5. Request a payment

Send 50 pathUSD to 0x742d35Cc6634C0532925a3b844Bc9e7595f2bD18 on Tempo
Behind the scenes the skill calls: 
curl -X POST https://conto.finance/api/sdk/payments/approve \
  -H "Authorization: Bearer $CONTO_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "amount": 50,
    "recipientAddress": "0x742d35Cc6634C0532925a3b844Bc9e7595f2bD18",
    "senderAddress": "0x1a2b3c4d5e6f...",
    "chainId": 42431,
    "purpose": "Vendor payment"
  }'
If approved immediately, the response includes an approvalId and approvalToken. If policy requires manual approval and a workflow matches, the response includes approvalRequestId instead. Once that workflow approves the payment, the agent confirms the onchain transfer back to Conto with the final txHash.

Step 6. Transfer onchain

The agent transfers pathUSD itself using its own keys. The skill handles this for you.

Step 7. Confirm back to Conto

After the onchain transfer succeeds: 
curl -X POST https://conto.finance/api/sdk/payments/APPROVAL_ID/confirm \
  -H "Authorization: Bearer $CONTO_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "txHash": "0xabc123...",
    "approvalToken": "a1b2c3d4..."
  }'
Conto records the payment, updates spend counters, and the transaction appears in the dashboard.

Step 8. Verify

/conto show my recent transactions
Or check Transactions in the dashboard for the explorer link.

What happens when a policy blocks the payment?

Send 300 pathUSD to 0x742d35Cc6634C0532925a3b844Bc9e7595f2bD18 on Tempo
The skill returns a denial with the specific violation. No onchain transfer occurs. The denied attempt appears under Alerts in the dashboard. 
{
  "approved": false,
  "reasons": ["Amount 300 exceeds maximum of 200 per transaction"],
  "violations": [
    {
      "type": "PER_TX_LIMIT",
      "limit": 200,
      "current": 300,
      "message": "Amount 300 exceeds maximum of 200 per transaction"
    }
  ],
  "requiresHumanApproval": false
}
Common violation types: PER_TX_LIMIT, DAILY_LIMIT, WEEKLY_LIMIT, MONTHLY_LIMIT, BLOCKED_COUNTERPARTY, TIME_WINDOW, CATEGORY_RESTRICTION, VELOCITY_LIMIT. See Advanced policies for the full list.

Rate limits

Endpoint typeLimit
Payment endpoints (/approve, /request, /execute, /confirm)60 requests/min per agent
Read endpoints (/wallets, /policies, /transactions, etc.)120 requests/min per agent
On 429, the API returns a Retry-After header. The skill retries automatically. See the Defaults page for all rate-limit and default values.

Troubleshooting

Verify CONTO_API_URL is correct. For the hosted platform, use https://conto.finance. For local dev, http://localhost:3006. Test:
curl https://conto.finance/api/sdk/setup \
  -H "Authorization: Bearer $CONTO_API_KEY"
A valid JSON response means the URL is reachable.
SDK keys are scoped to a single agent. Check that:
  • The key starts with conto_agent_ (not conto_)
  • The key has not been revoked in Agents > SDK Keys
  • You’re using the correct key for the correct agent
Generate a new key under Agents > your agent > SDK Keys > Generate New Key.
The denial response includes a violations array listing every rule that failed. Common causes:
  • Spend limit exceeded. Check daily/weekly/monthly counters in Agents > Spend Tracking.
  • Counterparty not on allowlist. If you have an ALLOWED_COUNTERPARTIES policy, the recipient must be listed.
  • Outside time window. TIME_WINDOW and DAY_OF_WEEK rules use the timezone set on the policy.
  • Category mismatch. If ALLOWED_CATEGORIES is set and no category is provided, the rule is skipped. BLOCKED_CATEGORIES always denies on match.
Dry-run check without attempting a real payment:
/conto check if a 50 pathUSD payment to 0x742d... is allowed
In external wallet mode, Conto only enforces policy. The agent must transfer funds itself. If /approve succeeds but no transfer happens:
  • Check the agent has enough pathUSD in its wallet.
  • Check the agent logs for transfer errors.
  • Ensure the wallet address in Conto matches the agent’s actual wallet.
If the transfer succeeded but Conto doesn’t show it, the /confirm call may have failed. Retry:
curl -X POST https://conto.finance/api/sdk/payments/APPROVAL_ID/confirm \
  -H "Authorization: Bearer $CONTO_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"txHash": "0x...", "approvalToken": "a1b2c3d4..."}'
Policy management requires an Admin SDK key. The default Standard preset can request policy evaluation and read agent data, but it does not include payments:execute, payments:approve, or payments:confirm. Check the key type in Agents > SDK Keys (scope column shows standard or admin).
Policies must be assigned to the agent. Creating a policy alone doesn’t activate it. Assign via the dashboard (Policies > Assign to Agent) or via the API:
curl -X POST https://conto.finance/api/agents/AGENT_ID/policies \
  -H "Authorization: Bearer $CONTO_ORG_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"policyId": "POLICY_ID"}'
Verify the policy status is ACTIVE.
If every OpenClaw command fails after a manual edit, the JSON file likely has a syntax error. Validate:
cat ~/.openclaw/openclaw.json | jq .
If jq reports an error, fix the JSON or delete and re-run setup:
rm ~/.openclaw/openclaw.json
conto-check.sh setup "my-agent" "0xMyWalletAddress" EVM 42431