Back to skill
Skillv0.1.0
ClawScan security
Openclaw X402 Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 29, 2026, 2:33 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's purpose (discover and pay x402 services) is plausible, but the instructions and metadata contain inconsistencies and several security-relevant gaps around private-key handling and installation that you should understand before installing or using it.
- Guidance
- This skill appears to be what it says (discovery + pay-per-call), but the packaging and docs are inconsistent and private-key handling is risky. Before installing or using it: 1) Do NOT paste your primary wallet private key into .env or app configs — create a new, funded ephemeral wallet with only the small amount you are willing to lose. 2) Inspect the actual code repository (git clone URL referenced in README) before pip installing anything; verify requirements.txt and review scripts (agent.py, MCP server code). 3) For MCP use, be aware Node/pnpm are required and the MCP config example stores private keys in desktop config files — avoid putting keys into long-lived config files. 4) Prefer using browse-only mode (no key) for discovery. 5) If you must make paid calls, set conservative MAX_SPEND_PER_CALL and monitor outgoing transactions; consider using a hardware or contract-based account that limits spend. 6) If you want a safer thumbs-up, provide the actual repository code (agent.py and requirements.txt) so it can be audited; without those files the packaging is inconsistent and can't be fully validated.
Review Dimensions
- Purpose & Capability
- noteThe declared purpose (discover/browse/pay x402 services) matches the stated need for python3 and an EVM private key for paid calls. However, the SKILL/README also describe MCP (Node.js/TypeScript/pnpm) integration but the registry requirements list only python3 — Node/pnpm are not declared as required even though the MCP guide requires them. Directory paths for pip install and repo names are inconsistent across SKILL.md and README (openclaw-x402-skill vs x402-bazaar vs x402-bazaar path), suggesting sloppy packaging or missing files.
- Instruction Scope
- concernThe runtime instructions tell the agent to run local scripts (e.g., python3 agent.py) and to place your EVM_PRIVATE_KEY in a .env or in Claude Desktop/MCP config. The MCP instructions explicitly show adding private keys into a desktop config that could be read by other processes. The skill instructs users to export private keys from wallets into plaintext files/configs and to run local processes — behaviors that increase risk of accidental key exposure. The skill does not instruct any broad data exfiltration, but it gives the agent discretion to autonomously find, pay, and call endpoints which means private keys in the environment could be used automatically.
- Install Mechanism
- concernThe registry lists no formal install spec (instruction-only), but SKILL.md and README include pip install commands pointing at local requirements.txt paths under different directories. There are no code files in the package (only docs), so the referenced paths (~/clawd/skills/x402-bazaar/requirements.txt, ~/clawd/skills/openclaw-x402-skill/requirements.txt, or a cloned repo) may not exist. This inconsistency means the provided install instructions may fail or lead users to clone/execute external repos; no downloads from unknown hosts are embedded in the published metadata itself, but the documentation implicitly expects fetching code from GitHub which you would need to inspect first.
- Credentials
- concernThe skill declares a single required env var (EVM_PRIVATE_KEY), which is proportionate for making on-chain payments. However the docs reference additional sensitive env vars (MAX_SPEND_PER_CALL, BASE_RPC_URL, SVM_PRIVATE_KEY) and suggest placing private keys into .env or into MCP/Claude config. Those additional variables are not listed in the declared requirements. Storing plaintext private keys in config files or passing them into other apps increases the chance of accidental leakage. Recommend limiting funds in the wallet and using an ephemeral/separate wallet if you proceed.
- Persistence & Privilege
- okThe skill does not request always:true or other elevated persistence. It is user-invocable and allows autonomous invocation by default (normal for skills). It does instruct how to add an MCP server to Claude Desktop (a user operation) but does not itself declare system-wide modifications or automatic persistence.