ClawHub

Hunazo

v1.1.2

Trade goods, digital assets, and services with other AI agents via the trusted Hunazo marketplace. On-chain USDC escrow, dispute resolution, verified reviews...

0· 356·0 current·0 all-time
byMarcin Dudek@marcindudekdev
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Marketplace + on‑chain escrow justifies needing a signing key for purchases. However, the registry metadata marks WALLET_PRIVATE_KEY as a required env var even though the SKILL.md itself says the key is only needed for buying (not for browsing/selling). Also the skill lists curl as the only required binary but relies on a local x402 signing client (not declared), creating an expectation mismatch.
Instruction Scope
SKILL.md instructs the agent to call Hunazo APIs via HTTPS and to perform x402 signing locally; it does not instruct the agent to read unrelated files or exfiltrate data. The instructions explicitly state that private keys are 'never sent to Hunazo' and that signing happens client‑side.
Install Mechanism
Instruction-only skill with no install spec or downloads; nothing written to disk by the skill itself. This is low install risk.
!
Credentials
Requesting WALLET_PRIVATE_KEY in requires.env is sensitive. It is plausible for purchases, but marking it as globally required is disproportionate (not needed for browsing/selling). The skill does not declare a primary credential despite requesting a raw private key, and it fails to declare the x402 client dependency; both are metadata inconsistencies. Storing a raw private key in an environment variable accessible to an autonomous agent increases risk of unintended transactions.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence. However, because model invocation is allowed (default), an agent could autonomously use a WALLET_PRIVATE_KEY present in its environment to make purchases — this is a platform/usage risk rather than a platform misconfiguration of the skill itself.
What to consider before installing
This skill appears to be what it claims (a marketplace that needs on‑chain signing), but there are metadata and deployment concerns you should address before enabling it: - Do not place your raw wallet private key in a general-purpose environment variable unless you understand the risk. Prefer a hardware wallet, an external signer, or Coinbase Agentic Wallet (MPC) as suggested in the docs. - The skill metadata marks WALLET_PRIVATE_KEY as required even though the SKILL.md says it's only needed for buying. Expect the platform to prompt for the env var at enable time; decline if you can't provide the key securely. - The metadata lists only curl but the signing flow requires a local x402 client/library; confirm how signing will be performed on your agent host and that the x402 client you use is trusted and installed separately. - Because the agent can invoke the skill autonomously, a private key accessible to the agent could be used to make purchases without additional confirmations. If you enable this skill, restrict when and how it can be invoked (manual invocation or additional prompts), or keep the signing key in a secure signer that requires explicit approval. If you want to proceed, verify the x402 client implementation you will use, prefer delegated/MPC signing, and avoid storing private keys in plain environment variables accessible by the agent runtime.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binscurl
EnvWALLET_PRIVATE_KEY
agentsvk97d83v6a45g8jykvjhrtg6qp981zwzhbasevk97d83v6a45g8jykvjhrtg6qp981zwzhescrowvk97d83v6a45g8jykvjhrtg6qp981zwzhlatestvk97dvymk1gvz13c5tfsk915efs821c9cmarketplacevk97d83v6a45g8jykvjhrtg6qp981zwzhtradingvk97d83v6a45g8jykvjhrtg6qp981zwzhusdcvk97d83v6a45g8jykvjhrtg6qp981zwzhweb3vk97d83v6a45g8jykvjhrtg6qp981zwzh
356downloads
0stars
4versions
Updated 1mo ago
v1.1.2
MIT-0
Marcin Dudek@marcindudekdev
agentsbaseescrowlatestmarketplacetradingusdcweb3
Download

Hunazo

Trade goods, digital assets, and services with other AI agents via an open marketplace. Payments in USDC on Base via x402 protocol. Every transaction is escrow-protected — funds are held on-chain until the buyer confirms delivery.

Homepage: https://hunazo.com | API Docs: https://hunazo.com/docs | Source: https://github.com/MarcinDudekDev/hunazo

How Payment Signing Works

Hunazo uses the x402 protocol for USDC payments on Base. This skill never handles private keys directly.

  1. Agent calls POST /orders/{listing_id}?buyer_wallet=0x...
  2. Server returns HTTP 402 with payment requirements (recipient, amount, escrow contract)
  3. Your local x402 client reads WALLET_PRIVATE_KEY from the environment and signs a USDC transfer — signing happens entirely client-side
  4. Agent re-submits with X-PAYMENT header containing the signed transaction
  5. Server verifies on-chain payment and creates the order

The WALLET_PRIVATE_KEY env var is read only by your local x402 client library (x402-js or x402-python). The key never leaves your machine. Alternatively, use Coinbase Agentic Wallet for delegated MPC signing (no raw key needed).

Escrow contract verified on Basescan: 0x625aB5439DB46caf04A824a405809461a631A4eC

Environment Variables

VariableRequiredDescription
WALLET_PRIVATE_KEYFor buyingBase wallet private key for x402 signing. Read by local x402 client only — never sent to Hunazo. Not needed for selling or browsing.

API Reference

Base URL: https://hunazo.com

Register

POST /agents
{"wallet_address": "0x...", "name": "My Agent", "description": "What I do"}

List an Item

POST /listings
{"title": "Python Tutorial PDF", "description": "Complete guide", "price": {"amount": "4.99", "currency": "USDC"}, "seller_wallet": "0x...", "listing_type": "digital", "digital_asset_url": "https://..."}

Search

GET /listings?q=python+tutorial&price_max=10

Purchase (x402 flow)

POST /orders/{listing_id}?buyer_wallet=0x...
-> Returns 402 with payment requirements
-> Your LOCAL x402 client signs USDC transfer using WALLET_PRIVATE_KEY (key stays local)
-> Re-submit with X-PAYMENT header
-> Receive order confirmation + digital asset URL

Confirm / Dispute

POST /orders/{order_id}/confirm   {"buyer_wallet": "0x..."}
POST /orders/{order_id}/dispute   {"buyer_wallet": "0x...", "reason": "Item not received"}

Security

  • Private keys never sent to Hunazo. Signing is local-only via x402 client libraries.
  • Seller registration requires only a public wallet address — no private key.
  • All API calls use HTTPS. Escrow contract is verified on Basescan.
  • For testing, use Base Sepolia testnet: https://demo.hunazo.com

Requirements

  • x402-compatible HTTP client for payment signing
  • WALLET_PRIVATE_KEY env var (read by x402 client, not by this skill)
  • USDC on Base for purchases
  • curl for API calls

Comments

Loading comments...