ClawHub

Search for Service

v1.0.0

Search and browse the x402 bazaar marketplace for paid API services. Use when you or the user want to find available services, see what's available, discover...

0· 52·0 current·0 all-time
by@agnicpay-prog
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (search/browse the x402 bazaar) match the instructions, which only use the agnic CLI to search, list, and inspect marketplace endpoints. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
The SKILL.md instructs the agent to run `npx agnic@latest x402 bazaar ...` commands and to probe endpoints with `x402 details`, which will try multiple HTTP methods until a 402 response is received. This is coherent with discovering payment requirements, but it can have side effects: trying non-idempotent HTTP methods (POST/PUT/DELETE/PATCH) against arbitrary URLs may mutate remote state. The skill does not instruct reading local files or unrelated environment variables.
Install Mechanism
There is no install spec, but the allowed-tools explicitly run `npx agnic@latest` which downloads and executes code from the npm registry at runtime. That is a standard way to run a CLI but does mean remote code is fetched and executed on each invocation. Pinning to a specific package version or auditing the npm package would reduce risk.
Credentials
The skill requests no environment variables, credentials, or config paths. The cached data location (~/.config/agnic/bazaar/) is reasonable for a CLI cache and consistent with function.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. It writes a local cache but does not modify other skills or global agent configuration.
Assessment
This skill is coherent with its description, but take a few precautions before installing: 1) The skill runs `npx agnic@latest` which fetches and executes code from npm at runtime—consider auditing the npm package or pinning to a specific version rather than `@latest`. 2) The `details` command tries multiple HTTP methods until it sees a 402; avoid running it against sensitive production endpoints because it may issue POST/PUT/DELETE/PATCH requests that change remote state. 3) Expect a local cache at ~/.config/agnic/bazaar/. 4) If you have low tolerance for executing remote code, run the CLI in a sandboxed environment or inspect the agnic package source before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f6qf7rdyx2psxr1sefc7fm584ddsn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments