Simmer X402
v1.0.6Make x402 payments to access paid APIs and gated content. Use when a skill needs to fetch data from x402-gated endpoints (like Kaito mindshare API, Simmer pr...
⭐ 0· 965·6 current·6 all-time
byAD88@adlai88
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
The name/description match the included code: the Python CLI and library call out x402 payment flows and Quicknode RPC. The only minor mismatch is SKILL.md's instruction to 'pip install simmer-sdk' while the packaged requirements and code use the x402 SDK (requirements.txt and imports reference x402, httpx, eth-account). Otherwise the resources requested (EVM private key, x402 client) are expected for on-chain payments.
Instruction Scope
Runtime instructions and the code stay within the declared purpose: making HTTP requests, detecting HTTP 402 responses, and performing x402 payments using an on-chain signer. The skill reads its own config.json and environment variables (EVM_PRIVATE_KEY/WALLET_PRIVATE_KEY, X402_MAX_PAYMENT_USD, X402_NETWORK) — all relevant. There are no instructions to read unrelated system files or exfiltrate data to unexpected endpoints.
Install Mechanism
No install spec that downloads arbitrary code is present; installation is standard Python package installs (x402, httpx, eth-account) via pip. That is expected for a Python CLI wrapper. The stray reference to 'simmer-sdk' in SKILL.md is inconsistent with requirements.txt but not itself an install-time red flag.
Credentials
The skill requires an EVM private key (EVM_PRIVATE_KEY or fallback WALLET_PRIVATE_KEY), which is necessary for signing payments and therefore proportional to the skill's purpose. However, this is a highly sensitive secret because it gives spend authority; users should only provide a wallet with limited funds or a dedicated signing key. Other env vars (X402_MAX_PAYMENT_USD, X402_NETWORK) are reasonable safety/configuration controls.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and is instruction-only with one CLI file. Autonomous invocation is allowed by default (disable-model-invocation is false), which is expected for skills — note that autonomous invocation combined with the ability to sign payments increases risk if you let the agent act without guardrails.
Assessment
This skill is coherent with its description: it will use the EVM private key you supply to sign USDC payments on Base for 402 Payment Required flows. Before installing, consider: 1) Never supply your main wallet private key — create a dedicated wallet with minimal USDC and optionally use testnet. 2) Set X402_MAX_PAYMENT_USD to a low value (or edit config.json) to limit how much the agent can spend per request. 3) Verify the Python packages (x402, httpx, eth-account) you install come from trusted sources. 4) Review the included x402_cli.py if you want to confirm behavior, and only allow autonomous agent actions if you trust the agent's decision logic. If you cannot create a limited-value wallet, do not provide your private key.Like a lobster shell, security has layers — review code before you run it.
latestvk97bn5szbmavjvm6fz1t2x8z6s84zrr0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.