Agentpmt No Account Agentaddress X402
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: agentpmt-no-account-agentaddress-x402 Version: 1.0.0 The skill bundle provides instructions and Python code for an AI agent to perform tool invocations and crypto-based payments via the AgentPMT platform (agentpmt.com). It includes standard implementation logic for EIP-712 typed data signing (x402 flow) and HMAC-like request signing, with explicit instructions to handle private keys securely using a secret manager. No evidence of malicious intent, data exfiltration, or unauthorized execution was found; the code is entirely aligned with the stated purpose of enabling autonomous agent payments.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the key is exposed, reused, or used by an over-permissive agent, credits or wallet funds could be spent or controlled by someone other than the user.
The instructions obtain a wallet private key from an external service and later use wallet keys for signing/payment flows. This is central to the stated purpose, but it is high-privilege financial credential handling.
response = requests.post("https://www.agentpmt.com/api/external/agentaddress", timeout=30) ... private_key = wallet["evmPrivateKey"]Use only a dedicated low-balance/disposable wallet or AgentAddress, keep keys in a real secret manager, do not paste keys into prompts or logs, and avoid sending unrelated funds to provider-generated addresses.
An autonomous agent could make paid tool calls or spend wallet funds/credits in ways the user did not intend.
The x402 example selects the first payment option and builds a signed authorization for the returned payee and amount, without showing a user approval step or local spending limits.
accepted = payment_required["accepts"][0] ... "to": accepted["payTo"].lower(), "value": str(accepted["amount"])
Require explicit user approval or a strict budget before signing payments; validate product/action slugs, payee, token, network, and maximum amount before each paid retry.
Installing packages in the active agent environment can introduce dependency risk if packages or versions are compromised.
The skill asks users to install unpinned Python dependencies. This is expected for HTTP requests and Ethereum signing, but dependency provenance and versions are not constrained.
pip install requests eth-account
Install in an isolated environment and pin reviewed versions of requests and eth-account when possible.