Goldrush X402
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: goldrush-x402 Version: 3.0.5 The skill bundle facilitates autonomous blockchain data access via the x402 protocol, which requires the AI agent to handle a sensitive `WALLET_PRIVATE_KEY` to sign micropayments. While this behavior is clearly aligned with the stated purpose of the GoldRush x402 service and no evidence of intentional malice or data exfiltration was found, the requirement for an agent to manage private keys is a high-risk capability that could be exploited if the agent is compromised. Key files involved include SKILL.md, references/overview.md, and references/ai-agents.md.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Any code or agent with this private key can make paid x402 requests from the funded wallet.
The skill requires a wallet private key to authorize payments. This is expected for x402, and the docs warn not to commit it, but it is still sensitive delegated authority.
You need a wallet with testnet USDC on Base Sepolia. You'll use the wallet's private key to sign x402 payments. Never commit your private key to source control.
Use a dedicated low-balance wallet, preferably testnet-only unless you intentionally use mainnet later, store the key in a secrets manager, and monitor spending.
A misconfigured or overactive agent could make repeated paid requests without a separate human confirmation step.
The documentation intentionally enables autonomous paid API access. This is aligned with the skill purpose, but automatic requests can spend wallet funds if the calling agent loops or chooses expensive tiers.
An AI agent with a funded wallet can autonomously access the full GoldRush API - no signup flow, no credentials to rotate, no billing portal, no human in the loop.
Add application-level spend limits, request limits, tier limits, and alerts before giving an autonomous agent access to a funded wallet.
Your project will depend on external npm libraries for wallet signing and payment handling.
The skill is instruction-only but directs users to install external npm packages without pinned versions. This is expected for the integration, but users should verify package provenance.
**Install:** `npm install @x402/core @x402/evm`
Review the npm packages, pin versions or use a lockfile, and keep dependencies updated through your normal supply-chain controls.