X402
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: x402-2 Version: 0.1.0 The skill is classified as suspicious due to its inherent high-risk capabilities, despite no explicit malicious intent found within the skill bundle itself. It allows the AI agent to initiate arbitrary network requests to arbitrary URLs, potentially spending real money (USDC) via the x402 payment protocol. The reliance on `npx awal@latest` introduces a supply chain risk, as a compromised `awal` package could lead to malicious execution. While the `SKILL.md` does not contain prompt injection attempts or instructions for data exfiltration or persistence, the power to make paid, arbitrary network calls makes it a significant vulnerability if misused or if the underlying `awal` tool is compromised.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or untrusted URL could be probed with methods that change or delete data on a service.
The discovery command may send mutating HTTP methods such as POST, PUT, DELETE, and PATCH to an arbitrary URL before confirming that the endpoint is payment-protected or safe to call.
Auto-detects the correct HTTP method (GET, POST, PUT, DELETE, PATCH) by trying each until it gets a 402 response
Limit discovery to safe methods by default, require explicit user approval before trying mutating methods, and verify the endpoint and method before use.
If the agent runs the pay command while authenticated, it could spend the user's USDC on paid API calls without a clearly enforced approval or spending limit.
The pay workflow spends USDC automatically, and the documented payment cap is optional rather than required.
Call an x402 endpoint with automatic USDC payment: `awal x402 pay <url> ... [--max-amount <n>]`
Require explicit user confirmation for each paid request, run the details command first, and always set a small `--max-amount` limit.
The agent may be able to use the logged-in account's payment authority, exposing the user's wallet balance to unintended spending.
The skill relies on an authenticated payment account or wallet with spendable funds, but the registry metadata declares no primary credential and the instructions do not bound account scope or payment authorization.
Pay: Must be authenticated (`awal auth login <email>`) with sufficient USDC balance (`awal balance`)
Use a dedicated low-balance wallet or account, confirm every paid action, and avoid logging in unless payment is explicitly needed.
The behavior of the CLI can change over time, including payment-handling behavior.
The skill executes the latest version of a remote CLI package at runtime; this is purpose-aligned, but the exact reviewed version is not pinned or included in the artifact.
Use the `npx awal@latest x402` commands
Verify the `awal` package source and consider pinning a trusted version before using it with an authenticated wallet.