Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
CoinMarketCap x402 APIs
v1.0.1Access CoinMarketCap data via x402 pay-per-request protocol with USDC payments on Base. Use when users mention x402, want CMC data without API keys, ask abou...
⭐ 0· 417·1 current·1 all-time
byCoinMarketCap@bryan-cmc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (accessing CMC via x402 with on-chain USDC payments) matches the SKILL.md content: it requires a Base wallet/private key, USDC on Base, and Node/npm to run the x402 client. Requiring a wallet and small payments is proportionate for x402-based access. However, the registry metadata lists no required env vars or primary credential even though the instructions explicitly reference a PRIVATE_KEY environment variable and npm dependencies — this metadata mismatch is unexpected.
Instruction Scope
SKILL.md gives concrete runtime instructions that instruct the agent/user to install npm packages (@x402/axios, @x402/evm, viem), to use process.env.PRIVATE_KEY for the wallet, to construct signatures and send PAYMENT-SIGNATURE headers, and to pay 0.01 USDC per request. Those steps are within the declared purpose but they require handling a sensitive private key and performing on-chain payments. The instructions do not request unrelated files, but they do rely on a private key that the registry metadata did not declare — granting broad runtime discretion about key use is a scope concern.
Install Mechanism
This is an instruction-only skill with no install spec. It asks the user/agent to npm install several packages from public registries. That is reasonable for a Node-based x402 client, but because there's no packaged install spec the environment must be prepared manually; verify package names/versions and source before installing.
Credentials
The SKILL.md expects a PRIVATE_KEY environment variable and requires an on-chain wallet funded with USDC and some ETH for gas. Those requirements are proportionate to pay-per-request behavior, but the skill metadata declares no required env vars or primary credential. The presence of a hardcoded payment recipient address (0x271189c860DB25bC43173B0335784aD68a680908) and USDC contract address in payment-details.md is normal for a payment flow but is sensitive information the user should verify. The omission of declared required credentials in metadata is a mismatch and a red flag.
Persistence & Privilege
The skill is not marked always:true, is user-invocable, and is instruction-only with no install-time persistency specified. It does not request elevated persistent privileges or attempt to modify other skills or system-wide settings.
What to consider before installing
This skill appears to be a legitimate x402 client for CoinMarketCap, but before installing: (1) Understand it requires a Base wallet private key and funds (USDC + gas) to pay ~ $0.01 per request — do NOT use your main or high-value wallet. Create a dedicated hot wallet with minimal funds. (2) The skill's registry metadata does NOT declare the PRIVATE_KEY env var even though SKILL.md expects process.env.PRIVATE_KEY — ask the publisher to update metadata, and be cautious about where you set that env var. (3) Verify the payment recipient address (0x271189c860DB25bC43173B0335784aD68a680908) and USDC contract address in the docs before funding anything. (4) If you will run code, inspect and verify the npm packages/@x402 packages and versions before npm install. (5) Test with tiny amounts first and rotate the wallet if you suspect misuse. If you are not comfortable providing a private key or funding a wallet, do not install or use this skill.Like a lobster shell, security has layers — review code before you run it.
latestvk9738b2gyqnt5d0cg3v15pe4mn8245hs
License
MIT-0
Free to use, modify, and redistribute. No attribution required.