TPN Proxy
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent TPN proxy helper that discloses its API-key use and proxied web requests, with no artifact-backed evidence of hidden code or exfiltration.
Before installing, be sure you want the agent to contact TPN, use your TPN_API_KEY, return temporary SOCKS5 credentials in chat, and fetch user-selected public URLs through a proxy. If you use the x402 option, approve wallet prompts only after checking the payment details.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may contact TPN and retrieve public web content through a proxy rather than merely giving instructions.
The skill gives the agent authority to make network requests and use curl/proxy settings directly, which is expected for the proxy function but should be noticed.
This skill executes API calls and returns results directly ... Call the TPN API yourself (via `curl` or equivalent) ... When the user asks you to fetch a URL through a proxy, make that request yourself too.
Use it only for intended public URLs and keep the documented URL validation and internal-address rejection in place.
Installing the skill allows the agent to use the configured TPN account key for proxy generation when invoked.
The skill requires a TPN API key and uses it to generate proxy leases; this is normal for the service but grants account-level proxy-generation authority.
Environment variables | `TPN_API_KEY` — existence-checked only ... never echoed or logged
Only configure a TPN_API_KEY you are comfortable delegating to the agent, and rotate or revoke it if transcripts or environment access are exposed.
If using the x402 path, the user may be asked to approve and sign a payment with a wallet.
The reference flow includes wallet-mediated USDC approval and signing for x402 payments; this is purpose-aligned but affects payment authority.
Sign a USDC payment on Base ... const tx = await usdc.approve( pay_to, amount ) ... const signature = await authorizer.signMessage
Verify the amount, recipient, network, and wallet prompt before approving any x402 payment.