AgentXPay
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
AgentXPay is transparent about blockchain payments, but it gives the agent broad ability to spend and manage a wallet key automatically, so users should review it carefully before use.
Install only if you intentionally want an agent to make blockchain payments. Use a new low-balance/testnet wallet, pin and review dependencies, require manual confirmation for every spend/subscription/escrow action, set strict budgets, and avoid sending sensitive data to unknown service endpoints.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or manipulated tool call could spend wallet funds or pay an unintended service.
The pay-and-call tool can automatically spend on-chain funds for a caller-supplied URL, while the schema only requires the URL and does not enforce a budget, price cap, or confirmation parameter.
"Call an AI service endpoint with automatic x402 payment handling. If the server returns HTTP 402 (Payment Required), the agent automatically pays on-chain and retries the request." ... required: ["url"]
Use a dedicated low-balance wallet, require explicit user confirmation before every payment, and enforce maximum per-call and per-task budgets in the runtime or wrapper.
Anyone or any tool path using that key can authorize transactions from the configured wallet, and delegated agent permissions can allow future spending within wallet rules.
The skill explicitly requires an agent wallet private key and includes actions that delegate spending authority to agent addresses; this is expected for the payment purpose but is high-impact authority.
`PRIVATE_KEY` | 是 | Agent 钱包私钥 ... `authorize_agent`:授权一个地址(Agent)从该钱包支出
Never use a primary wallet key; create a separate wallet with minimal funds, set tight spending limits, and revoke agent authorizations when no longer needed.
A changed or unexpected dependency/runner version could affect code that signs payment transactions.
The tool runner can execute through npx and the critical payment SDK is specified as a floating semver range; this code runs in an environment containing PRIVATE_KEY, so dependency provenance matters.
"tool": "npx tsx scripts/run-tool.ts" ... "@agentxpay/sdk": "^0.3.0"
Pin exact dependency and runner versions, prefer a reviewed built artifact over npx-at-runtime execution, and verify the SDK source/lockfile before using real funds.
Sensitive prompts or credentials included in a request may be disclosed to the selected or supplied service endpoint.
The skill sends caller-provided request bodies and headers to external AI service endpoints. That is central to the skill, but it means prompts, files, or tokens placed in the body/headers leave the local environment.
headers: { "Content-Type": "application/json", ...(params.headers || {}) } ... fetchOptions.body = JSON.stringify(params.body); ... this.client.fetch(params.url, fetchOptions)Only send non-sensitive data to trusted service URLs, avoid putting secrets in custom headers unless necessary, and review discovered service endpoints before payment/call execution.