ClawHub
Back to skill
v1.0.2

Buy a travel eSIM - via x402 USDC Base Wallet

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:29 AM.

Analysis

The skill is coherent for buying travel eSIMs, but it can spend real USDC through an external payment API, so users should confirm all payment details before approving.

GuidanceThis appears purpose-aligned, but treat it like any real-money checkout flow: confirm whether you are using mainnet or testnet, verify the package and USDC amount, review the wallet transaction before signing, and keep the delivered eSIM QR/installation link private.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
POST to /api/agent/purchase ... receive 402 with payment details
- Pay using your wallet
- Retry POST with payment proof header

The purchase flow uses payment instructions returned by an external API and then asks a wallet to pay them. This is purpose-aligned for x402, but the payment details should be verified before funds are sent.

User impactIf the amount, network, asset, or recipient is wrong, the wallet could send funds to the wrong destination or for the wrong purchase.
RecommendationBefore paying, compare the 402 payment details against the quoted price and intended network, and do not proceed if the wallet transaction differs from what the user approved.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
metadata
Source: unknown
Homepage: none

The registry information does not provide a source repository or homepage, which limits provenance checks for a skill that facilitates payments.

User impactUsers have less independent information for verifying the author, project history, or payment-service legitimacy.
RecommendationInstall only if you trust the registry owner and the esimqr.link service, and review wallet prompts carefully before approving payments.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
- A wallet skill or USDC-capable wallet on Base (Mainnet or Sepolia)
- USDC balance for purchases
- ETH for gas

The skill requires access to a wallet with spendable funds, which is expected for its eSIM purchase purpose but is still high-impact authority.

User impactApproving the workflow can spend real USDC and gas, and crypto payments may be difficult or impossible to reverse.
RecommendationOnly approve a purchase after checking the selected package, price, network, and wallet transaction details; use testnet or a limited-balance wallet when testing.