Bondterminal X402
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this workflow could spend USDC repeatedly while answering bond-data questions, even if each individual request is only $0.01.
The skill explicitly supports automatically turning a 402 response into a signed payment and retrying the request, but it does not specify user confirmation, spending caps, payTo validation, or retry limits.
Supports automatic 402 → payment → retry.
Require explicit user approval before paid calls, verify the amount, network, asset, and payee before signing, and set a maximum spend or request count per task.
If the environment or dependencies are misused or compromised, the funded wallet could be used for payments beyond the user's intended query.
The skill asks users to make a funded wallet private key available for signing. That is high-impact credential access because the key can authorize USDC transfers, and the skill metadata declares no primary credential or required environment variable.
export X402_PRIVATE_KEY=0x... # EVM private key with USDC on Base
Use a dedicated low-balance wallet, avoid raw private keys where possible, prefer hardware/KMS signers with policy controls, and declare the credential requirement clearly in metadata.
Installing unpinned packages can expose the user to unexpected package updates in code that interacts with a funded signer.
The setup depends on third-party npm packages without pinned versions. This is expected for the x402/viem integration, but users should understand that these packages will handle wallet signing flows.
npm install @x402/core @x402/evm viem
Pin package versions, install from trusted registries, and review dependency changes before using the signer.