x402 Compute
WarnAudited by ClawScan on May 13, 2026.
Overview
The skill is coherent for paid compute provisioning, but it gives agents high-impact wallet, payment, and server-destruction authority with limited built-in safeguards.
Install only if you are comfortable letting the agent manage paid cloud compute. Use a dedicated low-balance wallet, verify every plan, duration, price, instance ID, and destroy action, and avoid broad OWS pass-through commands unless you review them first.
Publisher note
On demand compute provision for agents over x402 and Machine Payment protocol.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent runs provisioning or extension with an expensive plan or unexpected challenge amount, the wallet can be charged.
The script takes the payment amount from the remote 402 challenge, signs it, and submits it without an in-script spending limit or explicit confirmation step.
amount = int(option["maxAmountRequired"]) ... x_payment = signer.create_x402_payment_header(pay_to=pay_to, amount=amount) ... "X-Payment": x_payment
Use only a dedicated low-balance wallet, confirm plan/duration/price before running payment scripts, and prefer adding local max-spend and confirmation checks.
A mistaken or overly autonomous agent action could destroy a compute instance and its data.
The destroy helper performs an authenticated DELETE for the supplied instance ID with no visible confirmation or recovery safeguard.
response = requests.delete(
f"{BASE_URL}/compute/instances/{instance_id}",
headers=auth_headers,
timeout=30,
)Require explicit user confirmation with the exact instance ID, ensure backups exist, and avoid giving the agent broad discretion to destroy instances.
If OWS is configured, an agent could be directed to invoke wallet functionality beyond the compute workflows the user expected.
The OWS wrapper exposes a raw pass-through to the wallet CLI rather than limiting the agent to compute-specific wallet operations.
run_parser = sub.add_parser("run", help="Pass OWS args directly")
...
return run_ows(raw)Prefer narrowly scoped OWS subcommands and wallet policies; avoid using the raw `run` pass-through unless you are reviewing the exact command.
Leaking these environment variables or logs could compromise the wallet and funds assigned to this skill.
The skill intentionally uses wallet private keys or Solana secret keys for local signing. This is disclosed and purpose-aligned, but it is sensitive credential handling.
export PRIVATE_KEY="0x..." export WALLET_ADDRESS="0x..." ... export SOLANA_SECRET_KEY="base58-or-json-array"
Use a fresh dedicated wallet with limited funds, keep secrets out of shared shells/logs, and prefer scoped wallet/key-management options where possible.
A dependency or registry compromise could affect wallet-related commands executed through the wrapper.
If no local OWS binary is found, the wrapper can run an unpinned npm package via npx with automatic yes mode.
return [npx_bin, "-y", "@open-wallet-standard/core", *args]
Install and pin trusted dependency versions, review OWS provenance, or set OWS_BIN to a vetted local executable.
The server password could be exposed in terminal scrollback, agent transcripts, or logs.
The helper prints a one-time root password to stdout. This is an expected fallback access flow, but the output is highly sensitive.
print(f" Password: {access.get('password', 'N/A')}")Prefer SSH keys, request one-time passwords only when necessary, and treat the output as a secret.