Bondterminal X402
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent paid BondTerminal API helper, but it asks the agent to use a funded crypto signer and can automatically spend USDC without clear approval limits or declared credential requirements.
Install only if you are comfortable letting the agent use a dedicated low-balance Base wallet for paid API calls. Add your own approval prompts and spending limits, verify every payment request before signing, and pin the npm package versions before use.
Static analysis
Static analysis findings are pending for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the signer is configured, the agent can authorize payments from that wallet; mistakes or repeated calls could spend USDC beyond what the user expected.
The skill's setup requires a funded EVM private key capable of authorizing USDC payments, while the registry metadata declares no required env vars or primary credential. That under-discloses sensitive financial authority.
export X402_PRIVATE_KEY=0x... # EVM private key with USDC on Base
Use a dedicated low-balance wallet, declare the credential requirement clearly, and require explicit user approval or a hard spending limit before any signature is produced.
A normal data lookup can become a paid transaction automatically, and repeated or unexpected requests may incur charges.
The documented flow automatically creates and sends a payment payload after a 402 response, but the artifacts do not show user confirmation, maximum spend checks, or validation that the server-requested payment is exactly the expected $0.01 USDC on Base.
Supports automatic 402 → payment → retry ... const payload = await httpClient.createPaymentPayload(paymentRequired);
Before signing, verify amount, asset, network, and recipient; display the charge to the user; and enforce per-request and total-session spending caps.
Future dependency changes could alter the payment-signing behavior used by the examples.
The skill is instruction-only and the npm install step is central to the stated x402 purpose, but the package versions are not pinned.
npm install @x402/core @x402/evm viem
Pin exact package versions, use a lockfile, and review dependency provenance before configuring a funded wallet.