Back to skill
Skillv1.2.0
ClawScan security
x402 Compute · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 17, 2026, 8:10 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is largely coherent with a blockchain-paid compute provisioning tool, but there are mismatches and runtime behaviors (undocumented sensitive env usage and dynamic npx execution) that warrant caution before installing.
- Guidance
- This skill appears to implement a legitimate blockchain-paid compute provisioning flow, but take these precautions before installing: 1) Don't export your primary custody private keys into environment variables for this skill — create a dedicated wallet with minimal USDC for provisioning and use that. 2) Prefer installing and configuring OpenWallet/OWS yourself (npm install -g @open-wallet-standard/core) so the scripts use your local binary instead of falling back to 'npx -y' which downloads code at runtime. 3) Be aware the skill will load .env files and environment variables (WALLET_ADDRESS, PRIVATE_KEY, SOLANA_SECRET_KEY, OWS_WALLET, COMPUTE_API_KEY); audit and keep those secrets isolated (use ephemeral test wallets or an isolated execution environment). 4) The registry metadata did not list the env vars the code expects — treat that as a documentation gap and verify expected variables before running. 5) If you are unsure about the service domain (compute.x402layer.cc), verify its legitimacy and review the included scripts locally before running any that sign transactions or send private keys.
Review Dimensions
- Purpose & Capability
- noteThe name/description match the code: scripts list plans/regions, provision/extend/destroy instances, and perform on-chain (Base/Solana) payment signing. Requiring private keys for payment signing is appropriate for the stated purpose. However, the registry metadata says there are no required environment variables or primary credential, while SKILL.md and the scripts clearly expect sensitive env vars (e.g., PRIVATE_KEY / WALLET_ADDRESS, SOLANA_SECRET_KEY, OWS_WALLET, COMPUTE_API_KEY). That documentation mismatch is surprising and should be corrected or clarified.
- Instruction Scope
- noteRuntime instructions are focused on compute provisioning and management and warn about private-key handling. The scripts sign payment messages locally and call the documented compute API endpoints. They do read environment variables and may read user-provided files (e.g., SSH key files, dotenv .env), which is expected. The only notable scope expansion is that the code may invoke external tooling (OWS via subprocess/npx); otherwise there are no instructions to access unrelated system data.
- Install Mechanism
- concernThere is no formal install spec in the registry, but SKILL.md instructs 'pip install -r requirements.txt' and the code will attempt to run OWS via an 'ows' binary or fallback to 'npx -y @open-wallet-standard/core'. That npx fallback can dynamically fetch and run code from npm at runtime, which increases risk if you rely on automatic execution. Requirements (eth-account, web3, solders) are consistent with EVM and Solana signing, but the lack of an explicit install step in the registry and the runtime use of npx are points of friction/risk.
- Credentials
- concernThe skill uses highly sensitive environment variables (EVM private key, SOLANA_SECRET_KEY, wallet addresses, OWS/COMPUTE_API_KEY) and will load dotenv if present. Those secrets are proportional to paying for compute via blockchain; however the registry metadata declares no required env vars/primary credential, creating an undocumented gap. Also the code suggests setting PRIVATE_KEY or SOLANA_SECRET_KEY as plain env vars — a dangerous practice for high-value wallets. The SKILL.md does warn to use a dedicated throwaway wallet, which mitigates risk but does not remove the concern that secrets might be present in the environment or .env files and that the scripts will load them.
- Persistence & Privilege
- okThe skill does not request 'always: true' and does not appear to modify other skills or system-wide agent settings. It runs as-needed and uses subprocesses for OWS if available. No elevated persistence behavior was found.