ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AgnicPay x402 wallet authentication

Authenticate to AgnicPay wallet using browser OAuth or non-browser API token mode

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 56 · 0 current installs · 0 all-time installs
by@agnicpay-prog
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the runtime instructions: the SKILL.md only describes authenticating to an AgnicPay wallet using either an OAuth browser flow or a token. Nothing in the instructions requests access to unrelated services or credentials.
Instruction Scope
Instructions are narrowly scoped to running the agnic CLI (npx agnic@latest) for login/status and optionally setting AGNIC_TOKEN. They instruct opening a browser for OAuth and using a token for headless flows. Minor inconsistency: the metadata declares no required env vars, yet the doc uses AGNIC_TOKEN (optional token mode).
!
Install Mechanism
The skill relies on running 'npx agnic@latest' at runtime. npx fetching an unpinned 'latest' package from the npm registry means arbitrary third‑party code will be downloaded and executed on the host — a supply‑chain / arbitrary code execution risk. There is no pinned version, no verified release host, and no install spec to control what is fetched.
Credentials
No required environment variables are declared in the skill metadata, but the instructions tell the user/agent to set AGNIC_TOKEN for headless auth. Requesting a token for auth is reasonable for this purpose, but the token variable is not documented as required or described further (scope, least privilege, lifetime), so the skill omits useful context about credential scope and handling.
Persistence & Privilege
The skill does not request always:true, does not declare config paths, and does not instruct modifying other skills or system-wide agent settings. default autonomy is allowed but not otherwise privileged.
What to consider before installing
This skill is coherent with its stated purpose (authenticating an AgnicPay wallet), but it directs the agent to run 'npx agnic@latest' which downloads and executes unpinned npm code — a significant supply‑chain risk. Before installing or invoking: 1) Verify the official source of the 'agnic' CLI (official website, GitHub repo, npm package owner) and prefer a pinned, versioned package instead of '@latest'. 2) Inspect the package's code or its release artifacts if possible, or run it in an isolated environment (container/VM) not holding other secrets. 3) Treat AGNIC_TOKEN like any credential: only provide a scoped, short‑lived token and avoid exporting it in environments with other sensitive credentials. 4) If you must run the browser OAuth flow, ensure the agent won't capture or exfiltrate the resulting tokens. If you cannot verify the CLI's provenance or are uncomfortable with npx '@latest' execution, consider not installing this skill or requesting a versioned/installable alternative from a trusted source.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk972a2f87daqzmzvgma4mqh1xh833ak9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Authenticate Wallet

Authenticate the user with their AgnicPay wallet using browser OAuth or token-based auth for headless agents.

Steps

  1. Preferred for headless agents: provide a token (no browser required):

    npx agnic@latest --token <agnic_token> status --json

    Or set an environment variable:

    export AGNIC_TOKEN=<agnic_token>
npx agnic@latest status --json

  2. Browser mode: run the login command:

    npx agnic@latest auth login

    This opens the user's browser to AgnicPay where they sign in and set spending limits.

  3. Wait for the browser flow to complete. The CLI will show "Authenticated!" when done.

  4. Verify authentication:

    npx agnic@latest status --json

Expected Output

{
  "authenticated": true,
  "userId": "did:privy:...",
  "email": "user@example.com",
  "walletAddress": "0x...",
  "tokenExpiry": "2026-05-22T..."
}

Error Handling

  • If the user cancels the browser flow, the CLI will show "Authentication failed".
  • If the browser doesn't open, the CLI prints a URL the user can copy manually.
  • If token auth fails, check whether the token is valid/revoked/expired.
  • If already authenticated, agnic status will confirm without re-login.

Logout

To remove stored credentials:

npx agnic@latest auth logout

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…