v1.0.1

Epstein Emails (x402)

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:40 AM.

Analysis

Review before installing because the skill asks the agent to use a funded EVM wallet private key for paid API calls, while the registry metadata declares no credentials or environment variables.

GuidanceInstall only if you are comfortable giving the agent access to a dedicated, low-balance Base wallet private key for x402 payments. Do not use a primary wallet, set spending caps where possible, and confirm each paid request before it runs.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

Each API request costs **$0.001 USDC**... Always confirm with the user before making paid requests. Never paginate through the full dataset without explicit user approval and a cost estimate.

The API has direct financial cost per request, but the artifact instructs the agent to seek confirmation and estimate costs before paid or multi-request operations.

User impactQueries can spend USDC, and bulk pagination can accumulate charges, though the documented safeguards reduce this risk.

RecommendationApprove each paid request explicitly, use the free preview endpoint first, and require a clear cost estimate before pagination.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

SKILL.md

# pip install "x402[httpx,evm]" eth_account

The quick start references external Python packages without pinned versions; this is user-directed and purpose-aligned, but it is not captured by an install spec.

User impactIf the user copies the quick start, they will install external dependencies whose exact versions are not fixed by the artifact.

RecommendationPrefer pinned package versions and declare setup dependencies in metadata or an install spec.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

This skill requires a funded EVM wallet to make payments... `XCLAW02_PRIVATE_KEY` ... EVM wallet private key for signing payments

The skill requires a raw private key for a funded wallet, which grants payment-signing authority; this is high-impact credential access even though it is purpose-aligned with x402 payments.

User impactIf the wrong wallet is used or the key is mishandled, funds in that wallet could be spent or exposed.

RecommendationUse only a dedicated low-balance hot wallet, set a client-side spending limit if available, and ensure the installer/metadata clearly declares the private-key requirement.