Back to skill
Skillv1.0.8
ClawScan security
x402 Payments · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 9:16 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required env vars are consistent with its stated purpose (automatically signing USDC payments on Base); it legitimately needs a private key, but that makes it high-risk to run with valuable funds.
- Guidance
- This skill will sign and send USDC payments using whatever private key you provide. That is coherent with its purpose, but it means you should only install/run it if you trust the skill and the endpoints it will contact. Recommendations before installing: 1) Use a dedicated wallet with minimal USDC and no long-term funds (do not use your primary wallet). 2) Set a low X402_MAX_PAYMENT_USD both in env and config.json to cap accidental spend. 3) Inspect the x402 SDK package and this skill's code yourself or run it in an isolated environment. 4) Prefer testnet (set X402_NETWORK=testnet) until you confirm behavior. 5) Remove the EVM_PRIVATE_KEY from shared shells/CI and avoid persisting it in insecure places. Finally, note SKILL.md references 'simmer-sdk' even though the bundled requirements don't — that mismatch should be clarified by the publisher.
Review Dimensions
- Purpose & Capability
- okName/description match what the code does: it fetches URLs and, on HTTP 402, uses an x402 SDK to sign/pay USDC on Base. Required packages (x402, eth-account, httpx) and the EVM private key are appropriate for this functionality. Minor mismatch: SKILL.md suggests installing 'simmer-sdk' but the code and requirements.txt do not import or require simmer-sdk — this appears to be an extraneous instruction.
- Instruction Scope
- okSKILL.md and x402_cli.py restrict actions to: reading a skill-local config.json, reading env vars, making HTTP requests to user-specified URLs, and signing/sending payments via the x402 SDK. There is no evidence the skill reads unrelated system files or transmits data to hidden endpoints. Note: the agent will autonomously attempt real payments to arbitrary URLs you ask it to fetch, so misuse or unintended fetches can spend funds.
- Install Mechanism
- okNo remote download/extract install steps; dependencies are standard Python packages (x402, httpx, eth-account) declared in requirements.txt. This is a typical pip-based install surface (moderate risk only because PyPI packages execute code). The SKILL.md extra instruction to 'pip install simmer-sdk' is not reflected in requirements.txt and appears unnecessary.
- Credentials
- noteThe skill requires an EVM private key (EVM_PRIVATE_KEY or WALLET_PRIVATE_KEY fallback) — this is logically required to sign payments. This is highly sensitive: possession of the private key grants the skill full ability to move funds from that wallet. The skill exposes a per-request USD cap (X402_MAX_PAYMENT_USD / config.json) which mitigates but does not eliminate risk.
- Persistence & Privilege
- okalways:false (not forced into every agent run). disable-model-invocation is false (normal), so the agent may invoke the skill autonomously; combined with a supplied private key this increases operational risk, but this privilege is expected for a payments skill.