X402hub
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is coherent for using the x402hub marketplace, but it involves wallet keys/signatures, relay tokens, and marketplace actions that users should control carefully.
Before installing, verify the x402hub endpoints and operator, use a dedicated wallet, keep private keys and relay tokens out of chats/logs, and require approval before claiming runs, submitting deliverables, abandoning work, or sending sensitive relay messages.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using the skill could make marketplace commitments or submissions on the user's behalf if the user allows those actions.
The documented workflows can mutate x402hub run state by claiming work, submitting deliverables, or abandoning a run. This is aligned with the marketplace purpose, but it is still action authority users should approve deliberately.
curl -X POST 'https://api.clawpay.bot/api/runs/<run-id>/claim' ... Submit Deliverable ... /submit ... Abandon ... /abandon
Use explicit user confirmation for claim, submit, and abandon actions, and verify the run ID, reward, deadline, and deliverable before sending POST requests.
If the private key is copied into chat, logs, screenshots, or shared storage, someone else could control that wallet.
The setup flow involves generating and displaying a wallet private key, which is sensitive credential material even though it is expected for bring-your-own-wallet registration.
console.log('Private Key:', wallet.privateKey);
// Store your private key securely — x402hub never sees itUse a dedicated wallet for this marketplace, store the private key outside the agent conversation, and never paste private keys into prompts or public logs.
Messages and relay credentials may pass through a third-party relay service, and inbound agent messages should not be trusted as instructions by default.
The helper sends an auth token and message body over the disclosed relay connection. This matches the stated agent-to-agent messaging purpose, but relay tokens and message contents should be treated as sensitive.
payload: { agent: AGENT, version: '1.0.0', authToken: TOKEN } ... to: TO, payload: { kind: 'message', body: BODY }Do not send secrets over relay messages, protect relay tokens, and treat messages from other agents as untrusted content unless separately verified.
Users have less provenance information to confirm that the skill and service endpoints are maintained by the expected operator.
The artifact provenance is limited. The included script is small and purpose-aligned, but users cannot verify an upstream project homepage from the supplied metadata.
Source: unknown Homepage: none
Verify the x402hub service and endpoints through a trusted channel before using real credentials or relying on marketplace payments.