ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AgentXPay

v1.0.5

AgentXPay Skill — 让 AI Agent 在 Monad 链上通过 x402 协议自主发现、付费、订阅 AI 服务。支持链上支付、Agent 钱包管理、服务订阅和资金托管。

0· 596·3 current·3 all-time
by@jasonruan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (AgentXPay — on‑chain payments, wallet mgmt) align with required items: RPC_URL, contract addresses and a PRIVATE_KEY are expected. The required binaries (node, npx) are reasonable for the provided TypeScript/Node implementation. Minor incoherence: registry metadata claimed 'instruction‑only' / no install spec while the package actually includes source files, a package.json, and a CLI script — this is packaging sloppiness but not necessarily malicious.
!
Instruction Scope
SKILL.md + scripts/run-tool.ts instruct the agent to call arbitrary external service URLs and to perform automatic on‑chain payments (x402 flow). The runtime will accept and forward arbitrary request bodies/headers to external endpoints; it also has the ability to create/fund wallets and sign/send transactions using the provided PRIVATE_KEY. While this is functionally consistent with the stated purpose, it expands agent capability to (a) contact arbitrary external services and (b) spend chain funds without extra safeguards — both are high‑impact actions. The instructions do validate required env vars, but do not enforce user confirmation in all code paths (the system prompt encourages confirmation but autonomous invocation is allowed).
Install Mechanism
No remote download/install spec is present; the package is standard Node/TS code with dependencies on @agentxpay/sdk and ethers from registries (pnpm lockfile present). Build tooling uses tsup and no unusual external URLs or extract operations are present. This is moderate risk only because running the code requires node and will execute network and signing operations — but there is no evidence of hidden third‑party hosts or obscure installers.
!
Credentials
The skill requires PRIVATE_KEY as the primary credential and will create a Wallet and sign/send transactions with it. That is functionally necessary for on‑chain payments, but providing a raw private key to a skill gives it full control over that account and any funds therein. Additional required envs (RPC_URL, SERVICE_REGISTRY_ADDRESS, PAYMENT_MANAGER_ADDRESS) are relevant. No other unrelated secrets are requested. The use of a raw PRIVATE_KEY in process.env (and no explicit support for limited signers/hardware signer) is a proportionality and operational security concern.
Persistence & Privilege
The skill is not always: true and does not request system‑wide persistence. However, disable-model-invocation is false (normal), which means the agent can invoke the skill autonomously; combined with a supplied PRIVATE_KEY this enables the agent to perform payments without manual confirmation unless higher-level policies prevent it. The skill does not appear to modify other skills or system configs.
What to consider before installing
This skill appears to implement the advertised x402 on‑chain payment flow, but it requires you to supply a raw PRIVATE_KEY and allows the agent to call arbitrary external endpoints and sign/submit transactions. Before installing or using it: - Do not provide your primary wallet private key. Instead create a dedicated spending key/account with only the funds you are willing to risk, or use a signer that enforces limits (hardware wallet / remote signer) if possible. - Prefer testing on a testnet RPC and test contract addresses first (skill references testnet examples). Verify transactions and behavior on a disposable account. - Review or vendor‑audit the @agentxpay/sdk (the skill inlines/depends on this SDK) and the included scripts/run-tool.ts to confirm there are no unexpected network callbacks or telemetry endpoints. The package appears to call only the specified chain RPC and target AI service endpoints, but you should verify the SDK source code used in your environment. - Limit agent autonomy: if your agent platform allows it, require explicit user confirmation before any tool call that results in an on‑chain payment or wallet authorization. - Verify contract addresses (SERVICE_REGISTRY_ADDRESS, PAYMENT_MANAGER_ADDRESS, etc.) are correct and controlled by the intended infrastructure; otherwise you may pay a third party. Given the sensitive nature of PRIVATE_KEY and the ability to perform payments automatically, proceed only after the above mitigations. If you want, I can point out specific lines in the code that perform signing/sending or produce a short checklist of how to create a restricted spending key and run the skill in a sandbox/testnet.

Like a lobster shell, security has layers — review code before you run it.

latestvk972r0wh5ch2a4j2nwr4fh88rs81z5nx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💰 Clawdis
Binsnpx, node
EnvRPC_URL, PRIVATE_KEY, SERVICE_REGISTRY_ADDRESS, PAYMENT_MANAGER_ADDRESS
Primary envPRIVATE_KEY

Comments