ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Monetize Service

v0.1.0

Build and deploy a paid API that other agents can pay to use via x402. Use when you or the user want to monetize an API, make money, earn money, offer a service, sell a service to other agents, charge for endpoints, create a paid endpoint, or set up a paid service. Covers "make money by offering an endpoint", "sell a service", "monetize your data", "create a paid API".

0· 867·5 current·5 all-time
by@0xrag
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (monetize an API with x402) align with the runtime instructions: obtaining a receive address, installing x402-express, and protecting Express routes. The listed allowed tools (npx, npm, node, curl) are appropriate for the task.
Instruction Scope
SKILL.md stays on-topic: it guides wallet auth, obtaining a payTo address, installing x402-express, and wiring middleware into an Express server. It does not instruct reading unrelated files or exfiltrating data. It does instruct interacting with a wallet and making on-chain payments (expected for this purpose).
Install Mechanism
There is no install spec in the skill bundle (instruction-only), but the instructions require installing the third-party npm package x402-express. Using npm packages is a normal choice but carries moderate risk—verify the package source, review code, and prefer testnet before mainnet.
Credentials
The skill requests no environment variables, which is coherent, but it depends on an authenticated wallet (via npx awal). That implies access to a wallet whose keys/funds could be at risk if misused. Requesting a receive address (payTo) is expected, but users must ensure they don't expose private keys or run this against a wallet holding significant funds without auditing dependencies.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request persistent system-wide changes or modify other skills' configurations; no elevated persistence is requested.
Assessment
This skill appears to do what it says: build an Express server that charges via x402. Before installing or running it, do the following: (1) review the x402-express npm package source and its reputation; (2) test everything on base-sepolia (testnet) before switching to Base mainnet to avoid losing real USDC; (3) confirm the payTo address is correct and never paste or expose private keys; (4) verify which facilitator (x402.org or custom) will be used and read its privacy/security documents; (5) consider running dependency scans (npm audit) and pin package versions to reduce supply-chain risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk9745pb4mabrt0gnbqghqhw6dd80zd0v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments