Agnic Authenticate Wallet (x402)
AdvisoryAudited by Static analysis on Apr 23, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the token may be able to act as the user's Agnic account within that token's permissions.
The skill explicitly asks the user to create and use an Agnic API token, which is sensitive delegated account access. This is expected for the authentication purpose, but users should handle the token carefully.
Generate an API token at [app.agnic.ai](https://app.agnic.ai) > Settings > API Tokens.
Use the least-privileged token available, avoid sharing it, prefer environment variables over command-line flags when possible, and revoke tokens that are no longer needed.
Connecting the wallet may authorize future actions or payments according to the limits shown in the Agnic consent flow.
The OAuth flow may involve wallet/payment spending limits. This is disclosed and aligned with a wallet authentication skill, but it is financially sensitive.
The user signs in (email, Google, or wallet) and approves spending limits
Review the OAuth consent screen and spending limits carefully before approving, and revoke access from the provider if you no longer trust or need it.
The behavior depends on whatever version of the external CLI is current when the command runs.
The skill relies on running the latest external `agnic` CLI via npx. This is central to the stated purpose, but `@latest` is not pinned to a reviewed version.
npx agnic@latest status --json
If you need stronger reproducibility, pin a specific trusted CLI version and verify the package source before using it with wallet or API credentials.
A compromised local account or device could potentially access stored Agnic credentials.
The skill discloses persistent local storage of credentials and token refresh behavior. This is purpose-aligned, but it creates stored authentication state on the user's machine.
Browser mode: credentials stored in `~/.agnic/config.json` with `0600` permissions. Tokens auto-refresh on 401 responses. Refresh token expires after 90 days.
Use `npx agnic@latest auth logout` when finished on shared or untrusted machines, and protect local account access.