USDC Krump EVVM x402 Payment
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: usdckrump Version: 0.1.2 The OpenClaw AgentSkills skill bundle 'usdckrump' is designed for making USDC Krump payments on Story Aeneid EVVM using the x402 protocol, supporting both Privy server wallets and direct private key signing. The `SKILL.md` and code clearly define its purpose and security considerations, including advice against storing private keys in plain environment variables. The `src/privy-signer.ts` component legitimately interacts with `https://auth.privy.io` for cryptographic operations, and blockchain interactions are via standard RPC endpoints. There is no evidence of intentional malicious behavior such as unauthorized data exfiltration, remote code execution, persistence, or prompt injection attempts against the agent. External repository references are for user-initiated examples, not dynamic code fetching by the skill.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with incorrect or malicious parameters, the configured signer wallet could make an irreversible payment.
The function signs and submits an on-chain payment using supplied recipient, amount, adapter, and signature parameters; no code-level approval step, spend limit, or recipient restriction is visible.
const tx = await adapter.payViaEVVMWithX402({ from, to, ... amount, ... receiptId, evvmNonce, ... evvmSignature: evvmSig.signature }); const receipt = await tx.wait();Require explicit per-payment user confirmation, verify recipient/token/adapter/RPC details, and configure Privy wallet policies or spending limits before enabling autonomous use.
Anyone who obtains these credentials or a reused private key could control or spend from the associated wallet.
The skill needs credentials that can sign wallet operations. This is purpose-aligned, but it is sensitive authority and the registry metadata lists no required env vars or primary credential.
Set `PRIVY_APP_ID` and `PRIVY_APP_SECRET` ... For the legacy `payViaEVVM` path, the payer private key must be supplied (e.g. `AGENT_PRIVATE_KEY`).
Use dedicated low-balance wallets, avoid reusing private keys, prefer Privy-managed wallets with policies, and ensure credentials are declared and stored securely.
A user may execute unreviewed external code with a wallet key and move assets into an EVVM ledger.
The referenced `lz-bridge` deposit script is not present in the supplied file manifest/install spec, yet the instructions ask the user to run external repo code while exposing a payer private key.
Run this in the full USDC Krump repo ... `cd lz-bridge` ... `PRIVATE_KEY=0x<payer_key> DEPOSIT_AMOUNT=1000000 npm run evvm:deposit-usdck`
Only run this from an audited repository and pinned commit, inspect the deposit script first, and use a dedicated test wallet or policy-limited signer.
Users could follow examples or trust addresses for a different token/codebase than the one they intended to use.
The evaluated skill is described as USDC Krump/USDC.k, while package and example artifacts still reference USDC.d/usdcdance naming. For a payment skill, token and contract identity ambiguity can mislead users.
"description": "Pay with USDC.d via x402 protocol on Story Aeneid EVVM using Privy"
Reconcile the USDC.k versus USDC.d naming, repository links, versions, and contract addresses before using the skill for any wallet-funded operation.