ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agentcash Wallet

Manage your agentcash wallet and call any x402-protected API with automatic payment. No API keys, no subscriptions — just a funded wallet (USDC on Base). USE...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 391 · 0 current installs · 0 all-time installs
byMason Hall@fmhall
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the instructions: the skill teaches using the agentcash CLI to manage a wallet and pay x402-protected APIs. Requiring an agentcash CLI (via npm/npx) is consistent with that purpose. However, the registry metadata lists no install requirements or config paths while the documentation explicitly references a wallet file (~/.agentcash/wallet.json) and recommends installing a third-party npm package — this mismatch is noteworthy.
Instruction Scope
SKILL.md instructs the agent/user to run npx agentcash commands that will create and read ~/.agentcash/wallet.json, discover endpoints on arbitrary origins, and sign/pay requests automatically. The instructions do not ask for unrelated files or env vars, but they do direct execution of remote code (npx) and automatic transmission of request payloads to third-party endpoints, which can include sensitive data. The doc's claim that payments only settle on 2xx responses is an external implementation detail the skill relies on but cannot verify itself.
!
Install Mechanism
There is no formal install spec in the registry entry, yet the docs instruct npm install -g agentcash or use npx. Installing or running an npm package from an unknown source is moderate risk because npm packages can execute arbitrary code on install/run. The skill provides no homepage, source, or provenance for the agentcash package, increasing uncertainty.
!
Credentials
The skill declares no required env vars or config paths, but the instructions reference and create a local wallet file (~/.agentcash/wallet.json) that will contain private keys/credentials. That is a credential-bearing artifact not declared in the metadata. The lack of declared config/credential requirements is an incoherence: the skill will create/store secrets without notifying the registry metadata.
Persistence & Privilege
The skill itself is instruction-only and not always-enabled. However, it recommends installing a global npm package (or running it via npx), which results in software persisted on the system and capable of writing wallet files and performing network requests. That persistence is expected for a CLI wallet, but it increases the blast radius if the package is malicious.
What to consider before installing
This skill is plausible for paying per-request APIs, but exercise caution: 1) The docs tell you to install/run an npm package (agentcash) with no homepage or source—npm packages can run arbitrary code. 2) The wallet (private key) will be stored at ~/.agentcash/wallet.json, yet the registry metadata doesn't declare that; expect a local secret file to be created. 3) The CLI will sign and send payments automatically and will forward request bodies to remote origins—don't send sensitive data through it unless you trust the endpoints. Before installing: verify the agentcash npm package page and author, inspect the package source code (or run it in a safe sandbox/VM), consider using a dedicated wallet with minimal funds, prefer npx for one-off use rather than global install, and confirm the legitimacy of deposit/transaction endpoints (e.g., x402scan.com and the listed origins). If you cannot verify the package/source, avoid installing or keep funds minimal.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk974d716kkxgkc22wx473y9mhh81ggxy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

agentcash Wallet & Paid APIs

Call any x402-protected API with automatic payment. Payment is the authentication — no API keys or subscriptions needed.

Setup

If the agentcash CLI is not yet installed, see rules/getting-started.md for installation and wallet setup.

Wallet Management

Your wallet is auto-created on first use and stored at ~/.agentcash/wallet.json.

Check Balance

npx agentcash wallet info

Returns wallet address, USDC balance, and deposit link. Always check before expensive operations.

Redeem Invite Code

npx agentcash wallet redeem YOUR_CODE

One-time use per code. Credits added instantly. Run npx agentcash wallet info after to verify.

Deposit USDC

  1. Get your wallet address via npx agentcash wallet info
  2. Send USDC on Base network (eip155:8453) to that address
  3. Or use the deposit UI: https://x402scan.com/mcp/deposit/<wallet-address>

Important: Only Base network USDC. Other networks or tokens will be lost.

Calling Paid APIs

1. Discover endpoints

npx agentcash discover https://stableenrich.dev

Returns all endpoints, pricing, and usage instructions. Read the instructions field — it has critical endpoint-specific guidance.

2. Check schema (optional)

npx agentcash check https://stableenrich.dev/api/apollo/people-search

Returns full request/response JSON schemas and pricing for a specific endpoint.

3. Make a paid request

npx agentcash fetch https://stableenrich.dev/api/apollo/people-search -m POST -b '{"person_titles": ["CEO"], "person_locations": ["San Francisco"]}'

Payment is automatic: sends request, gets 402 challenge, signs USDC payment, retries with credential, returns result. Payments settle only on success (2xx) — failed requests cost nothing.

Available Services

OriginServiceWhat it does
https://stableenrich.devStableEnrichResearch APIs: Apollo (people/org), Exa (web search), Firecrawl (scraping), Grok (X/Twitter), Google Maps, Clado (LinkedIn), Serper (news/shopping), WhitePages, Reddit, Hunter (email verification), Influencer enrichment
https://stableupload.devStableUploadPay-per-upload file hosting. 10MB/$0.02, 100MB/$0.20, 1GB/$2.00. 6-month TTL
https://stablestudio.devStableStudioAI image/video generation: GPT Image, Flux, Grok, Nano Banana, Sora, Veo, Seedance, Wan
https://stablesocial.devStableSocialSocial media data: TikTok, Instagram, X/Twitter, Facebook, Reddit, LinkedIn. $0.06/call, async two-step
https://stableemail.devStableEmailSend emails ($0.02), forwarding inboxes ($1/mo), custom subdomains ($5)
https://stablephone.devStablePhoneAI phone calls ($0.54), phone numbers ($20), top-ups ($15)
https://stablejobs.devStableJobsJob search via Coresignal

Run npx agentcash discover <origin> on any origin to see its full endpoint catalog.

Quick Reference

TaskCommand
Check balancenpx agentcash wallet info
Redeem codenpx agentcash wallet redeem <code>
Discover endpointsnpx agentcash discover <url>
Check pricing/schemanpx agentcash check <url>
Paid POST requestnpx agentcash fetch <url> -m POST -b '{...}'
Paid GET requestnpx agentcash fetch <url>

Tips

  • Always discover first — the instructions field has critical endpoint-specific patterns and required parameters.
  • Payments settle only on success (2xx) — failed requests cost nothing.
  • Use npx agentcash check <url> when unsure about request/response format.
  • Add --format json for machine-readable output, --format pretty for human-readable.
  • Add -v for verbose output to see payment details.
  • Network: Base (eip155:8453), Currency: USDC.

Troubleshooting

IssueSolution
"Command not found"Run npm install -g agentcash
"Insufficient balance"Check balance, deposit USDC or redeem invite code
"Payment failed"Transient error — retry the request
"Invalid invite code"Code already used or doesn't exist
Balance not updatingWait for Base network confirmation (~2 sec)

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…