Breeze x402
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed Breeze/Solana payment skill, but it gives the agent full wallet authority and the shown workflow signs and broadcasts remote transactions without visible safety checks.
Review carefully before installing. If you use it, create a dedicated Breeze wallet with only the funds you are willing to risk, pin and audit dependencies, protect or delete generated .env and wallet-backup.json files, and require explicit transaction previews and confirmations before any deposit, withdrawal, or paid x402 call.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bad, compromised, or mistaken remote response could cause the wallet to sign and submit an unintended Solana transaction, potentially moving funds irreversibly.
The shown workflow signs and broadcasts a transaction received from the Breeze x402 API using the wallet key, without showing validation of the transaction contents or an explicit pre-send approval step.
const bytes = Buffer.from(txString, 'base64'); ... const tx = VersionedTransaction.deserialize(bytes); tx.sign([keypair]); sig = await connection.sendRawTransaction(tx.serialize());
Require transaction decoding and display of amount, token mint, recipient/accounts, program IDs, and fees before signing; enforce allowlists and per-action spending limits; require explicit user confirmation for deposits and withdrawals.
Anyone or anything with this private key can authorize Solana transactions from the wallet, so exposure or misuse could drain funds.
The agent runtime is expected to receive a Solana wallet private key, which is full signing authority for that wallet rather than a limited Breeze-only credential.
metadata: {"openclaw":{"requires":{"bins":["node"],"env":["WALLET_PRIVATE_KEY"]},"primaryEnv":"WALLET_PRIVATE_KEY"}}Use only a dedicated low-balance wallet for this skill, never a primary wallet; keep the key out of shared logs and repositories; remove or rotate funds immediately if the key may have been exposed.
A compromised or unexpectedly changed dependency could affect wallet handling or transaction submission.
The setup uses unpinned npm dependencies in the same workflow that handles the wallet private key and transaction signing. This is expected for the integration but increases reliance on package provenance.
npm install @faremeter/fetch @faremeter/payment-solana @faremeter/wallet-solana @faremeter/info @solana/web3.js bs58 --legacy-peer-deps
Pin package versions, use a lockfile, install from a trusted environment, and audit dependencies before using the skill with real funds.