ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

X402

v0.1.0

Search for new services and make paid API requests using the x402 payment protocol. Use when you don't have a clear tool to choose, search the bazaar. You can also use this tool if you or the user want to call an x402 endpoint, discover payment requirements, browse the bazaar, or search for paid services.

0· 890·2 current·2 all-time
by@0xrag
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description match the SKILL.md: it is a helper for discovering and calling x402-paid endpoints. However the skill's instructions assume the presence/usage of external tooling (npx and the `awal` CLI) and a wallet/login flow but the metadata declares no required binaries, no credentials, and no source/homepage. That mismatch (declaring nothing required while instructing to run npx/awal and to authenticate/pay) is incoherent and unexplained.
!
Instruction Scope
The runtime instructions instruct the agent to discover endpoints, probe URLs by trying HTTP methods until a 402 response, and perform automatic USDC payments via `awal x402 pay`. They also reference cached data at ~/.config/awal/bazaar and authentication (awal auth login). These are within the stated purpose, but they allow the agent to perform financial actions and to read/write user config files without declaring or constraining that access (no explicit confirmation steps or credit/payment safeguards described). Probing arbitrary URLs by trying multiple HTTP methods and performing payments could have side effects and financial risk.
!
Install Mechanism
The skill is instruction-only (no install spec), but it explicitly tells users/agents to run `npx awal@latest x402`, which will fetch and execute the latest package from the npm registry at runtime. That implies downloading and executing third-party code without a pinned version, provenance, or homepage/source to verify. The skill metadata also lacks a declared source or homepage, increasing the risk that the runtime package could be untrusted or malicious.
!
Credentials
The SKILL.md requires authentication and a USDC wallet balance to make payments, and it refers to storing cached resources and presumably auth state under ~/.config/awal/. Yet the skill declares no required environment variables or credentials and no explanation where secret keys or wallet connections come from. Requesting no credentials in metadata while instructing to perform authenticated payments is disproportionate and missing important detail about how secrets are handled/stored.
!
Persistence & Privilege
The skill writes/reads cached data under ~/.config/awal/bazaar and will store authentication state via the `awal` CLI (per instructions). While always:false (not force-installed), the skill allows autonomous invocation (disable-model-invocation:false) and its primary action can initiate payments. Autonomous invocation combined with capabilities to store auth tokens and make payments increases potential blast radius if the fetched code or CLI behavior is malicious or misconfigured. The metadata does not describe safeguards (e.g., explicit user confirmation before paying).
What to consider before installing
This skill appears coherent in goal (discover and pay x402 endpoints) but omits important safety details. Before installing or using it: 1) verify the source and the npm package `awal` (there is no homepage/source listed); prefer a pinned package version instead of `@latest`; 2) do not run `npx awal@latest` in sensitive environments — use an isolated sandbox/VM to inspect the package first; 3) check what the `awal` CLI stores under ~/.config/awal (it may contain auth tokens or wallet keys) and understand how authentication is done; 4) require manual confirmation before any payment operations and avoid providing private keys or wallet secrets as environment variables without understanding storage/permissions; 5) ask the skill author for a homepage, repository, and a reproducible install spec; if you cannot get provenance and a review of the npm package, treat the skill as risky and avoid enabling autonomous payment actions.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fy1tcpvq3tr0z0hx655qnrn80yaf1
890downloads
0stars
1versions
Updated 4h ago
v0.1.0
MIT-0
@0xrag
latest
Download

x402 Payment Protocol

Use the npx awal@latest x402 commands to discover, inspect, and call paid API endpoints using the X402 payment protocol. Payments are made in USDC on Base.

Workflow

The typical x402 workflow is:

  1. Find a service - Search the bazaar or get details for a known endpoint
  2. Check requirements - Inspect price, method, and input schema
  3. Make the request - Call the endpoint with automatic USDC payment

Commands

Search the Bazaar

Find paid services by keyword using BM25 relevance search:

npx awal@latest x402 bazaar search <query> [-k <n>] [--force-refresh] [--json]
OptionDescription
-k, --top <n>Number of results (default: 5)
--force-refreshRe-fetch resource index from CDP API
--jsonOutput as JSON

Results are cached locally at ~/.config/awal/bazaar/ and auto-refresh after 12 hours.

List Bazaar Resources

Browse all available resources:

awal x402 bazaar list [--network <network>] [--full] [--json]
OptionDescription
--network <name>Filter by network (base, base-sepolia)
--fullShow complete details including schemas
--jsonOutput as JSON

Discover Payment Requirements

Inspect an endpoint's x402 payment requirements without paying:

awal x402 details <url> [--json]

Auto-detects the correct HTTP method (GET, POST, PUT, DELETE, PATCH) by trying each until it gets a 402 response, then displays price, accepted payment schemes, network, and input/output schemas.

Make a Paid Request

Call an x402 endpoint with automatic USDC payment:

awal x402 pay <url> [-X <method>] [-d <json>] [-q <params>] [-h <json>] [--max-amount <n>] [--json]
OptionDescription
-X, --method <method>HTTP method (default: GET)
-d, --data <json>Request body as JSON string
-q, --query <params>Query parameters as JSON string
-h, --headers <json>Custom HTTP headers as JSON string
--max-amount <amount>Max payment in USDC atomic units (1000000 = $1.00)
--correlation-id <id>Group related operations
--jsonOutput as JSON

Examples

# Search for weather-related paid APIs
awal x402 bazaar search "weather"

# Search with more results
awal x402 bazaar search "sentiment analysis" -k 10

# Check what an endpoint costs
awal x402 details https://example.com/api/weather

# Make a GET request (auto-pays)
awal x402 pay https://example.com/api/weather

# Make a POST request with body
awal x402 pay https://example.com/api/sentiment -X POST -d '{"text": "I love this product"}'

# Limit max payment to $0.10
awal x402 pay https://example.com/api/data --max-amount 100000

# Browse all bazaar resources with full details
awal x402 bazaar list --full

USDC Amounts

X402 uses USDC atomic units (6 decimals):

Atomic UnitsUSD
1000000$1.00
100000$0.10
50000$0.05
10000$0.01

Prerequisites

  • Search/Details: No authentication needed
  • Pay: Must be authenticated (awal auth login <email>) with sufficient USDC balance (awal balance)

Error Handling

  • "Not authenticated" - Run awal auth login <email> first
  • "No X402 payment requirements found" - URL may not be an x402 endpoint
  • "CDP API returned 429" - Rate limited; cached data will be used if available
  • "Insufficient balance" - Fund wallet with USDC (awal balance to check)

Comments

Loading comments...