Buy a travel eSIM - via x402 USDC Base Wallet

ReviewAudited by ClawScan on May 1, 2026.

Overview

The skill is coherent for buying travel eSIMs, but it can spend real USDC through an external payment API, so users should confirm all payment details before approving.

This appears purpose-aligned, but treat it like any real-money checkout flow: confirm whether you are using mainnet or testnet, verify the package and USDC amount, review the wallet transaction before signing, and keep the delivered eSIM QR/installation link private.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI03: Identity and Privilege Abuse

What this means

Approving the workflow can spend real USDC and gas, and crypto payments may be difficult or impossible to reverse.

Why it was flagged

The skill requires access to a wallet with spendable funds, which is expected for its eSIM purchase purpose but is still high-impact authority.

Skill content

- A wallet skill or USDC-capable wallet on Base (Mainnet or Sepolia)
- USDC balance for purchases
- ETH for gas

Recommendation

Only approve a purchase after checking the selected package, price, network, and wallet transaction details; use testnet or a limited-balance wallet when testing.

Medium

#ASI02: Tool Misuse and Exploitation

What this means

If the amount, network, asset, or recipient is wrong, the wallet could send funds to the wrong destination or for the wrong purchase.

Why it was flagged

The purchase flow uses payment instructions returned by an external API and then asks a wallet to pay them. This is purpose-aligned for x402, but the payment details should be verified before funds are sent.

Skill content

POST to /api/agent/purchase ... receive 402 with payment details
- Pay using your wallet
- Retry POST with payment proof header

Recommendation

Before paying, compare the 402 payment details against the quoted price and intended network, and do not proceed if the wallet transaction differs from what the user approved.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Users have less independent information for verifying the author, project history, or payment-service legitimacy.

Why it was flagged

The registry information does not provide a source repository or homepage, which limits provenance checks for a skill that facilitates payments.

Skill content

Source: unknown
Homepage: none

Recommendation

Install only if you trust the registry owner and the esimqr.link service, and review wallet prompts carefully before approving payments.