AIresearchOS
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent research integration, but x402 payment mode deserves review because it uses a raw crypto wallet private key and runtime npm dependencies to make paid requests.
If you only use the API-key path, the behavior is mostly standard for an external research service. Before enabling x402, use a dedicated low-balance wallet, verify the AIresearchOS base URL, review or lock the npm dependencies, and approve each paid request carefully.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using x402 with a main wallet could put more funds at risk than the advertised per-request research cost.
The helper converts a raw EVM private key from the environment into a signing account. That is necessary for x402 payments, but the credential can control wallet funds beyond this one skill if exposed or misused.
const walletKey = process.env.AIRESEARCHOS_WALLET_KEY ... const account = privateKeyToAccount(walletKey)
Prefer API-key billing when possible, or use a dedicated low-balance wallet only for this skill. The skill should declare the wallet key in metadata and clearly recommend a limited-use wallet.
A compromised or unexpectedly changed dependency could run in the same environment as the wallet key.
The x402 path installs third-party npm packages and uses semver ranges. Because this same path handles a wallet private key, dependency provenance and version locking matter more than for a normal helper script.
"@x402/core": "^2.3.0", "@x402/evm": "^2.3.0", "viem": "^2.45.2"
Review and pin dependencies with a lockfile before using x402 mode, or install dependencies in a constrained environment without extra secrets.
Research requests can consume paid credits or cryptocurrency funds.
The skill can spend credits or USDC, but it explicitly requires user confirmation for the highest-cost mode and for any x402 payment.
Confirm with user before: Mission Critical (100 credits / $5.00), any x402 payment.
Approve each paid request deliberately and verify the selected mode and max payment before allowing the agent to submit it.
The assistant may keep running background status checks after the initial request.
The skill uses background cron jobs to keep checking research status. This is disclosed and aligned with the product purpose, but it continues autonomously until completion or failure.
If action is 'pending', schedule another cron check in 2 minutes.
Monitor or cancel the scheduled cron checks if you no longer want the report, and prefer an explicit retry limit in future versions.