Goldrush X402
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent documentation-only integration for GoldRush x402, but using it means giving an app or agent a wallet private key that can make automatic paid requests.
This skill appears safe to treat as documentation for GoldRush x402, not as hidden executable code. Before using it, create a dedicated wallet, keep only the funds you are willing to spend, store the private key securely, pin and review the x402 npm dependencies, and add explicit spending and request limits for any autonomous agent.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Any code or agent with this private key can make paid x402 requests from the funded wallet.
The skill requires a wallet private key to authorize payments. This is expected for x402, and the docs warn not to commit it, but it is still sensitive delegated authority.
You need a wallet with testnet USDC on Base Sepolia. You'll use the wallet's private key to sign x402 payments. Never commit your private key to source control.
Use a dedicated low-balance wallet, preferably testnet-only unless you intentionally use mainnet later, store the key in a secrets manager, and monitor spending.
A misconfigured or overactive agent could make repeated paid requests without a separate human confirmation step.
The documentation intentionally enables autonomous paid API access. This is aligned with the skill purpose, but automatic requests can spend wallet funds if the calling agent loops or chooses expensive tiers.
An AI agent with a funded wallet can autonomously access the full GoldRush API - no signup flow, no credentials to rotate, no billing portal, no human in the loop.
Add application-level spend limits, request limits, tier limits, and alerts before giving an autonomous agent access to a funded wallet.
Your project will depend on external npm libraries for wallet signing and payment handling.
The skill is instruction-only but directs users to install external npm packages without pinned versions. This is expected for the integration, but users should verify package provenance.
**Install:** `npm install @x402/core @x402/evm`
Review the npm packages, pin versions or use a lockfile, and keep dependencies updated through your normal supply-chain controls.