Epstein Emails (x402)
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent paid public-record search API, but it requires a funded crypto-wallet private key even though the registry says no credentials are needed.
Review carefully before installing. If you use it, create a dedicated Base wallet with only a small USDC balance, set spending limits if your x402 client supports them, confirm every paid request, and remember that your search queries go to the external epsteinemails.xyz service.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may require exposing a funded wallet key to the agent/runtime. If the key is reused, overfunded, or mishandled, funds could be spent beyond the intended API requests.
This requires a raw private key for a funded wallet. The registry requirements list no required env vars or primary credential, so the high-impact credential requirement is under-declared.
This skill requires a funded EVM wallet... `XCLAW02_PRIVATE_KEY` ... `EVM wallet private key for signing payments`
Declare the wallet private key requirement in metadata. Users should only use a dedicated low-balance hot wallet, set spending limits if supported, and never use a wallet holding significant funds.
Approved searches will spend small amounts of USDC, and repeated pagination can increase total cost.
The skill can make paid API calls and paginate through results. The instructions include appropriate confirmation and cost controls, making this purpose-aligned but still important for users to notice.
GET /api/search (PAID — $0.001) ... Always confirm with the user before making paid requests. Never paginate through the full dataset without explicit user approval and a cost estimate.
Use the free preview first, ask for a cost estimate before multi-page searches, and set an x402 maximum amount or wallet funding limit.
Users have limited registry-level information for verifying who operates the paid API or auditing its implementation.
The registry does not provide source or homepage provenance for the skill/provider, while the skill depends on an external paid API. This is a provenance note, not evidence of malicious behavior.
Source: unknown; Homepage: none
Verify the external service and only send queries/payments you are comfortable sharing with that provider.