Skillv1.0.5

ClawScan security

AgentXPay · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 27, 2026, 1:59 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill broadly matches its stated purpose (on‑chain discovery, payment, wallet mgmt) but requests a raw PRIVATE_KEY and contains packaging/information mismatches and autonomous payment capabilities that warrant caution.
Guidance: This skill appears to implement the advertised x402 on‑chain payment flow, but it requires you to supply a raw PRIVATE_KEY and allows the agent to call arbitrary external endpoints and sign/submit transactions. Before installing or using it: - Do not provide your primary wallet private key. Instead create a dedicated spending key/account with only the funds you are willing to risk, or use a signer that enforces limits (hardware wallet / remote signer) if possible. - Prefer testing on a testnet RPC and test contract addresses first (skill references testnet examples). Verify transactions and behavior on a disposable account. - Review or vendor‑audit the @agentxpay/sdk (the skill inlines/depends on this SDK) and the included scripts/run-tool.ts to confirm there are no unexpected network callbacks or telemetry endpoints. The package appears to call only the specified chain RPC and target AI service endpoints, but you should verify the SDK source code used in your environment. - Limit agent autonomy: if your agent platform allows it, require explicit user confirmation before any tool call that results in an on‑chain payment or wallet authorization. - Verify contract addresses (SERVICE_REGISTRY_ADDRESS, PAYMENT_MANAGER_ADDRESS, etc.) are correct and controlled by the intended infrastructure; otherwise you may pay a third party. Given the sensitive nature of PRIVATE_KEY and the ability to perform payments automatically, proceed only after the above mitigations. If you want, I can point out specific lines in the code that perform signing/sending or produce a short checklist of how to create a restricted spending key and run the skill in a sandbox/testnet.

Review Dimensions

Purpose & Capability: noteName/description (AgentXPay — on‑chain payments, wallet mgmt) align with required items: RPC_URL, contract addresses and a PRIVATE_KEY are expected. The required binaries (node, npx) are reasonable for the provided TypeScript/Node implementation. Minor incoherence: registry metadata claimed 'instruction‑only' / no install spec while the package actually includes source files, a package.json, and a CLI script — this is packaging sloppiness but not necessarily malicious.
Instruction Scope: concernSKILL.md + scripts/run-tool.ts instruct the agent to call arbitrary external service URLs and to perform automatic on‑chain payments (x402 flow). The runtime will accept and forward arbitrary request bodies/headers to external endpoints; it also has the ability to create/fund wallets and sign/send transactions using the provided PRIVATE_KEY. While this is functionally consistent with the stated purpose, it expands agent capability to (a) contact arbitrary external services and (b) spend chain funds without extra safeguards — both are high‑impact actions. The instructions do validate required env vars, but do not enforce user confirmation in all code paths (the system prompt encourages confirmation but autonomous invocation is allowed).
Install Mechanism: okNo remote download/install spec is present; the package is standard Node/TS code with dependencies on @agentxpay/sdk and ethers from registries (pnpm lockfile present). Build tooling uses tsup and no unusual external URLs or extract operations are present. This is moderate risk only because running the code requires node and will execute network and signing operations — but there is no evidence of hidden third‑party hosts or obscure installers.
Credentials: concernThe skill requires PRIVATE_KEY as the primary credential and will create a Wallet and sign/send transactions with it. That is functionally necessary for on‑chain payments, but providing a raw private key to a skill gives it full control over that account and any funds therein. Additional required envs (RPC_URL, SERVICE_REGISTRY_ADDRESS, PAYMENT_MANAGER_ADDRESS) are relevant. No other unrelated secrets are requested. The use of a raw PRIVATE_KEY in process.env (and no explicit support for limited signers/hardware signer) is a proportionality and operational security concern.
Persistence & Privilege: noteThe skill is not always: true and does not request system‑wide persistence. However, disable-model-invocation is false (normal), which means the agent can invoke the skill autonomously; combined with a supplied PRIVATE_KEY this enables the agent to perform payments without manual confirmation unless higher-level policies prevent it. The skill does not appear to modify other skills or system configs.