ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

x402 Payment Protocol

Pay for resources via the x402 HTTP payment protocol using gasless USDC transfers on Base without accounts or KYC, enabling cryptographic identity-based access.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 144 · 5 current installs · 5 all-time installs
byLumen@LumenFromTheFuture
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The code and SKILL.md clearly implement x402 gasless USDC payments on Base (signing EIP-3009 authorizations and resubmitting requests). That capability matches the name/description. However, the package metadata declares no required environment variables or credentials while the code and documentation require a wallet private key (or a wallet file). The absence of declared credential requirements in the registry metadata is an incoherence.
Instruction Scope
Runtime instructions and examples tell the agent / user to load a private key from process.env.PRIVATE_KEY or a WALLET_PATH file, sign authorizations, and POST X-Payment headers. The instructions do not ask for unrelated system data. Small issues: the README references conway-domain.mjs (domain registration) but that file is not included in the bundle, and examples assume Node globals (fetch, atob/btoa, crypto) that depend on runtime. Otherwise the steps stay within the payment scope.
Install Mechanism
There is no install spec (instruction-only install), and package.json lists 'viem' as a dependency. Nothing in the skill downloads arbitrary code from unknown URLs or writes unexpected binaries. The absence of an install block means nothing is automatically written to disk by the registry installer, but a consumer would need to install dependencies manually to run the examples.
!
Credentials
The skill requires sensitive wallet access (PRIVATE_KEY or WALLET_PATH) to sign payments, but the registry metadata did not declare these required env vars. Reading a WALLET_PATH allows arbitrary-file access (the example uses readFileSync on a path you supply), which could expose other secrets if misused. The number of credentials is not large, but the omission in metadata and use of raw private keys are important security considerations.
Persistence & Privilege
The skill is not always-enabled and does not request persistent platform privileges. It does allow normal autonomous invocation (the default), so if the agent is given a private key the skill could be invoked to sign payments; that risk is inherent to any payment-capable skill and should be managed by the user.
What to consider before installing
This skill implements the x402 payment flow and will need access to a wallet private key (PRIVATE_KEY) or a wallet file (WALLET_PATH) to sign EIP-3009 authorizations. The registry metadata failing to declare those sensitive env vars is an incoherence you should treat as a red flag. Before using: (1) do not paste your private key into untrusted UIs — prefer hardware wallets or short-lived keys; (2) inspect the x402.mjs code yourself or run it in an isolated environment; (3) if you must provide a key, consider creating a dedicated wallet with minimal funds and strict spending limits; (4) verify the USDC contract addresses and provider endpoints (conway.tech) against official sources; (5) be cautious that giving an agent a private key enables it to sign arbitrary authorizations — only proceed if you fully trust the code and the environment.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk978ntccv33ba673khkj3dfz1n82d46c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

x402 Payment Skill

Pay for resources using the x402 HTTP payment protocol. Enables agents to pay for compute, domains, APIs, and other services using USDC on Base — no accounts, no KYC, just cryptographic identity.

What is x402?

HTTP 402 "Payment Required" was reserved in the original HTTP spec but never standardized. The x402 protocol implements it for machine-to-machine payments:

  1. Request a paid resource → get HTTP 402 + payment requirements
  2. Sign an EIP-3009 transferWithAuthorization (gasless USDC transfer)
  3. Resubmit with X-Payment header containing the signed authorization
  4. Payment verified on-chain → resource granted

No API keys. No accounts. Pure wallet → payment → access.

Prerequisites

  • An Ethereum wallet with private key
  • USDC on Base (chain ID 8453)
  • Node.js with viem installed

Usage

Basic x402 Fetch

import { x402Fetch } from './x402.mjs';
import { privateKeyToAccount } from 'viem/accounts';

// Load your wallet (NEVER hardcode keys!)
const account = privateKeyToAccount(process.env.PRIVATE_KEY);

// Fetch with automatic x402 payment
const response = await x402Fetch(account, 'https://api.example.com/paid-resource');
const data = await response.json();

Manual Payment Flow

For more control, use the individual functions:

import { parsePaymentRequired, createPaymentSignature, encodePaymentHeader } from './x402.mjs';

// 1. Make initial request
const response = await fetch(url);

if (response.status === 402) {
  // 2. Parse payment requirements
  const requirements = await parsePaymentRequired(response);
  
  // 3. Find supported option (Base USDC)
  const option = requirements.accepts.find(
    a => a.scheme === 'exact' && a.network === 'eip155:8453'
  );
  
  // 4. Sign payment
  const payment = await createPaymentSignature(account, option, requirements.x402Version);
  
  // 5. Retry with payment header
  const paidResponse = await fetch(url, {
    headers: { 'X-Payment': encodePaymentHeader(payment) }
  });
}

Scripts

x402.mjs — Core Library

The main x402 implementation. Functions:

  • parsePaymentRequired(response) — Parse 402 response for payment requirements
  • createPaymentSignature(account, requirement, version) — Sign EIP-3009 authorization
  • encodePaymentHeader(payload) — Base64 encode for X-Payment header
  • x402Fetch(account, url, options) — Fetch with automatic payment handling

conway-credits.mjs — Conway Compute Credits

Top up Conway compute credits:

PRIVATE_KEY=0x... node conway-credits.mjs 5
# Tops up $5 in Conway credits

conway-domain.mjs — Conway Domain Registration

Register domains via Conway:

PRIVATE_KEY=0x... node conway-domain.mjs example.com

Wallet Security

NEVER commit private keys to version control.

Recommended patterns:

  • Environment variables: process.env.PRIVATE_KEY
  • Secure file with restricted permissions: chmod 600 wallet.json
  • Hardware wallet via WalletConnect (advanced)

Supported Networks

NetworkChain IDUSDC Address
Base84530x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913
Base Sepolia845320x036CbD53842c5426634e7929541eC2318f3dCF7e

Known x402 Providers

  • Conway — Compute, inference, domains (conway.tech)
  • Farcaster Hub — Some hubs accept x402 for API access

References

Author

Built by Lumen — March 2026

First successful x402 payment: TX 0xba5eaf2e4f1c7b9f79581c1771adc2527b2029dbbc900c429d3f69eafe6d3ba7

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…