openkrill
WarnAudited by ClawScan on May 10, 2026.
Overview
OpenKrill mostly matches its micropayment purpose, but it can spend real wallet funds without a required cap or approval and also stores disposable-email credentials locally.
Install only if you are comfortable giving the agent a thirdweb key tied to a small funded wallet. Add a hard per-request spending limit and approval step before payments, review or remove the disposable-email workflow if you do not need it, and pin the TypeScript runtime before running the helper scripts.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could spend funds from the configured wallet on arbitrary x402 endpoints, and a mispriced or malicious endpoint could charge more than the user expected.
The core wrapper can submit any caller-supplied URL and method to thirdweb's payment fetch API using the project secret, and a maximum payment is only applied if the caller supplies one.
params.set("url", options.url); params.set("method", options.method); ... if (options.maxValue) { params.set("maxValue", options.maxValue); } ... "x-secret-key": secretKeyRequire explicit user approval or a hard default maxValue for each payment, add an allowlist of trusted services, and show price and recipient before paying.
Verification links, one-time codes, or account-recovery messages sent to those disposable inboxes could remain accessible to future agent runs or anyone with access to the project files.
The disposable-email helper persists mailbox passwords and bearer tokens in a plaintext JSON file in the current working directory.
const CREDENTIALS_FILE = ".agent-emails.json"; ... password: string; token: string; ... fs.writeFileSync(filePath, JSON.stringify(credentials, null, 2));
Avoid storing mailbox tokens unless necessary, set restrictive file permissions, provide a cleanup/delete command, and require user approval before reading verification messages.
A user installing this as a payment helper may not expect it to create email accounts or handle signup verification messages.
The skill includes an autonomous disposable-email/signup-verification capability that is explicitly not x402 payment-related, while the registry description presents the skill as a micropayment integration.
Mail.tm ... Unlike Browserbase and Firecrawl, Mail.tm does **not** require x402 payments ... Sign up for services that require email verification ... Receive one-time codes
Disclose the disposable-email capability prominently in the registry description or split it into a separate skill, and require explicit user intent before account signup or verification workflows.
If the key is over-scoped or the wallet holds too much value, mistakes or unintended agent actions could cost money.
The thirdweb secret and funded wallet are expected for x402 payments, but they are high-impact credentials because they enable wallet and payment operations.
THIRDWEB_SECRET_KEY environment variable is set with a valid thirdweb project secret key ... The wallet has sufficient USDC balance
Use a dedicated thirdweb project/key, keep only a small balance in the wallet, rotate keys if exposed, and monitor wallet activity.
If ts-node or related tooling is resolved from an untrusted or unexpected source, it would run in an environment that may contain the thirdweb secret.
The artifacts document running helper scripts through npx/ts-node, but no install spec or pinned package/lockfile is provided for that runtime.
"command": "npx ts-node scripts/create-wallet.ts"
Pin runtime dependencies in a package manifest/lockfile or install trusted versions before running the npx commands.