x402-payment-demo
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent x402 demo, but it tells the agent to automatically make TRON payments and sign payment permits, including a mainnet option, without clear approval or spending limits.
Only install or run this if you are comfortable with a demo that may trigger wallet signing/payment flows. Use the Nile testnet with a dedicated test wallet, review the referenced `x402-payment-tron` skill, and require a visible confirmation of network, amount, recipient, and permit scope before any payment or signature.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could sign a payment authorization or complete a payment without the user seeing the exact amount, network, token, or recipient first.
This directly instructs the agent to carry out payment and signing automatically, but the artifact does not require an explicit user approval step or define spend limits before those high-impact actions.
Perform the payment and resource acquisition automatically as guided by the protocol (handling 402 Payment Required, signing permits, etc.).
Require an explicit confirmation showing network, amount, token, recipient, and permit scope before any signing or payment, and keep mainnet disabled unless the user intentionally opts in.
A wallet connected for this demo could be asked to authorize payment-related permissions without clear boundaries in the skill instructions.
Signing permits and making payments on TRON implies use of wallet/account authority, and the presence of a mainnet option means real funds or token permissions may be involved. The artifacts do not bound which wallet, token, amount, or permit scope is allowed.
TRON network to use (nile, shasta, mainnet). Default: nile ... Perform the payment ... signing permits
Declare the wallet/credential requirements, use a dedicated testnet wallet by default, and limit any permit to the minimum amount and recipient needed for the single requested fetch.
The actual payment/signing behavior may depend on another skill the user has not reviewed as part of this package.
The core payment behavior is delegated to another skill that is not included, pinned, or declared in an install/dependency spec here. Because that delegated behavior handles payments and signing, the missing provenance is material.
follow the instructions provided by the `x402-payment-tron` skill to fetch the protected resource
Publish or declare the exact `x402-payment-tron` dependency, including version/source, and review it before enabling this demo.