clawpowers 1.1.1 → 1.1.2

package/skills/market-intelligence/SKILL.md

@@ -222,6 +222,41 @@ Score identified opportunities on 4 dimensions:
 [List all sources with access dates]
 ```
 
+### Premium Data Sources (x402-Aware)
+
+Market research frequently encounters paid API boundaries — academic paper databases, financial data APIs, patent registries, and proprietary datasets. ClawPowers routes these through the payment decision pipeline so you stay in control.
+
+**When research hits a 402 Payment Required response:**
+
+1. **Payments disabled** → Log the encounter and skip. Report: `[payment gate: skipped — payments.enabled=false]`. Continue with free alternatives.
+2. **Dry-run mode** → Log what would happen. Report: `[dry-run: would pay $0.05 USDC on base to access financial data API]`. No funds move. Use `npx clawpowers payments log` to review.
+3. **Live mode** → Evaluate against spending policy. If the cost fits within per-transaction and daily limits, pay autonomously and retry the request with payment proof.
+
+**Example premium sources the payment pipeline handles:**
+
+| Source | Typical Cost | Value |
+|--------|-------------|-------|
+| Financial data APIs (real-time prices, fundamentals) | $0.01–$0.10/request | Live market data for opportunity scoring |
+| Patent databases (full-text search) | $0.05–$0.50/query | IP landscape analysis |
+| Academic papers (behind paywalls) | $0.03–$0.30/paper | Early technology signal research |
+| Proprietary analyst datasets | $0.10–$2.00/query | Competitive benchmarking |
+
+**Configuration check before any paid research step:**
+
+```bash
+# Check current payment mode before hitting paid sources
+cat ~/.clawpowers/config.json | grep -A2 '"payments"'
+
+# Review what payment gates have been hit during this research session
+npx clawpowers payments log --limit 10
+```
+
+**Recommended workflow:**
+1. Run free sources first (GitHub API, npm stats, HN search, public web)
+2. When a free source hits a 402 wall, check if the premium data is decision-critical
+3. If yes and payments are enabled: let the pipeline evaluate and pay if policy allows
+4. If no: log the gap and note it in the intelligence report as a confidence gap
+
 ## ClawPowers Enhancement
 
 When `~/.clawpowers/` runtime is initialized:

package/skills/security-audit/SKILL.md

@@ -265,6 +265,51 @@ trivy fs . --severity HIGH,CRITICAL
 bandit -r src/ -ll
 ```
 
+### Premium Scanner Escalation
+
+The default audit pipeline uses **free local scanners**: `npm audit`, `gitleaks`, `trivy`, `bandit`, and `semgrep`. These cover the vast majority of findings and require no payment.
+
+When free scanners surface critical or high-severity findings, premium scanners can provide deeper analysis: broader CVE databases, behavioral analysis, license compliance, supply-chain attack detection, and exploit chain mapping.
+
+**Payment gate logic for scanner escalation:**
+
+| Config state | Behavior |
+|-------------|---------|
+| `payments.enabled = false` | Log the premium scanner option. Skip it. Proceed with free scan results only. |
+| `payments.mode = "dry_run"` | Log what would happen: `[dry-run: would pay $0.05 for Snyk deep scan]`. No charge. |
+| `payments.mode = "live"` | Evaluate cost vs. severity. If cost fits policy limits and severity is Critical/High, pay and run the premium scan. |
+
+**Example escalation scenarios:**
+
+```
+Trivy found 2 critical vulns in base image.
+Premium scanner (Snyk container) available for $0.05.
+[dry-run: would pay — severity=critical, cost=$0.05 < per_tx_limit=$0.10]
+```
+
+```
+gitleaks found 0 secrets in current HEAD.
+Premium deep-history scan available for $0.20.
+[skipped — payments.enabled=false]
+```
+
+**When to escalate:**
+- `CRITICAL` findings from free scanners → always consider premium for exploit chain analysis
+- `HIGH` findings with active CVEs → premium scanner may have fresher signature database
+- Pre-production release gates → deep scan is worth the cost
+- Compliance requirements (SOC 2, PCI) → premium scanners generate compliance-ready reports
+
+**Check payment config before escalating:**
+
+```bash
+cat ~/.clawpowers/config.json | grep -A8 '"payments"'
+
+# After audit session, review any payment decisions made
+npx clawpowers payments log
+```
+
+**Escalation is always optional.** The free scanner suite is production-grade. Premium escalation improves coverage at the margin — it never replaces the free baseline.
+
 ## ClawPowers Enhancement
 
 When `~/.clawpowers/` runtime is initialized:

package/skills/using-clawpowers/SKILL.md

@@ -53,6 +53,9 @@ Skills activate automatically when you recognize a matching task pattern. You do
 | Need to create a new skill | `writing-skills` |
 | Multiple independent tasks that can run concurrently | `dispatching-parallel-agents` |
 | Making a payment or calling a paid API | `agent-payments` |
+| "setup payments" / "enable wallet" / "configure spending" | `agent-payments` → `npx clawpowers payments setup` |
+| "demo x402" / "test payments" / "mock merchant" | `npx clawpowers demo x402` |
+| "payment log" / "spending history" | `npx clawpowers payments log` |
 | Checking code/containers for vulnerabilities | `security-audit` |
 | Writing blog posts, docs, or social content | `content-pipeline` |
 | Need to understand how to learn something effectively | `learn-how-to-learn` |