Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Proxy Gateway X402
v0.1.6Proxy Gateway X402 enables unrestricted pay-per-use internet access via the x402 protocol with direct USDC payments on Base L2, requiring no custody or KYC.
⭐ 0· 96·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, SKILL.md, and included code are consistent in implementing a pay-per-use HTTP proxy that verifies/sends USDC on-chain. However, metadata claims 'instruction-only' (no required env vars) while the code requires runtime configuration (DEVELOPER_WALLET, ADMIN_TOKEN, RPC_URL, etc.). README also references a hosted custodial endpoint and different trust models, creating mixed signals about custody/trust. Overall capability matches purpose but the packaging/metadata is inconsistent.
Instruction Scope
SKILL.md explicitly instructs users to set USER_EVM_PRIVATE_KEY in their environment to enable auto-pay; the code implements an auto-pay flow that signs and submits USDC transfers using that key. The skill also directs traffic through hosted endpoints (e.g., proxy-gateway-x402.easky.cn / proxy.easky.cn) and explicitly warns that all request data transits the proxy. Asking users (or an agent) to provide a raw private key and to route arbitrary requests through an external host expands scope and risk beyond a simple helper skill.
Install Mechanism
There is no install spec (instruction-only), which is lower risk in isolation, but the package contains a full application (19+ code files, requirements.txt, Docker instructions). That mismatch (no declared install but full source present) is unusual and should be clarified: either the skill is truly instruction-only (in which case shipping server code is misleading) or the code is intended to be deployed locally/dockerized (which requires an install step).
Credentials
Metadata shows 'required env vars: none' but the SKILL.md and code require several sensitive environment variables (USER_EVM_PRIVATE_KEY for auto-pay, DEVELOPER_WALLET, ADMIN_TOKEN, RPC_URL, REDIS creds, etc.). Requesting a user's private key as an environment variable is high-risk even if the skill recommends a dedicated wallet. The number and sensitivity of vars is disproportional to what's declared in the registry metadata.
Persistence & Privilege
The skill is not set always:true, and model invocation is allowed (default). Because the middleware supports auto-pay by reading USER_EVM_PRIVATE_KEY, autonomous invocation of the skill (or an agent using it) could cause on‑chain payments without an interactive confirmation. The combination of autonomous invocation + private-key-based auto-pay increases the blast radius and is a significant risk if a private key is present in the environment.
What to consider before installing
Key things to consider before installing or using this skill:
- Metadata vs. reality: the registry metadata claims no env vars and 'instruction-only', yet the package contains a full server implementation that expects multiple environment variables (DEVELOPER_WALLET, ADMIN_TOKEN, RPC_URL, REDIS settings) and the SKILL.md asks you to set USER_EVM_PRIVATE_KEY for auto-pay. Ask the publisher to clarify required configuration and why metadata omits these.
- Do NOT put your main private key in an environment variable: the skill explicitly instructs to set USER_EVM_PRIVATE_KEY to enable auto-pay. This gives code direct ability to sign and send transactions. If you decide to use auto-pay, only use a dedicated wallet with minimal funds, or better: avoid auto-pay and use manual payments. Prefer hardware wallet or signing through a separate, secure signing service rather than exporting a raw private key to the environment.
- Hosted endpoints are untrusted by default: SKILL.md/README reference hosted proxies (proxy-gateway-x402.easky.cn, proxy.easky.cn) of unknown origin. All proxied request data (URLs, headers, bodies, responses) will be visible to the operator — do not proxy API keys, passwords, private endpoints, or sensitive data through a hosted instance. Self-host if you need privacy.
- Verify developer recipient address and code provenance: the DEVELOPER_WALLET controls payment receipts. If you plan to pay, confirm the wallet address and the publisher identity. The skill's Source/Homepage are unknown; prefer code that is published from a traceable repository and signed releases.
- Self-hosting recommended: if you need the functionality, deploy the included server in an isolated environment (container), set RPC and wallet config to your own endpoints/wallets, and audit the code (particularly auto-pay and transaction validation) before use.
- Minimize privileges: if you test, set NETWORK=testnet (or base-sepolia), use a test RPC_URL, and set ADMIN_TOKEN / REDIS credentials appropriately. Inspect and optionally remove auto-pay capability if you cannot securely sign transactions.
What additional info would change the assessment:
- A verified publisher identity, an authoritative homepage/release URL, and matching registry metadata that declares required env vars and explains the hosted endpoints would raise confidence.
- Removal of the auto-pay-from-env pattern (or replacing it with a secure external signing flow/hardware-wallet integration) would materially reduce risk and could change the verdict toward benign.
Given the sensitive environment interaction (private key) and metadata/instruction mismatches, treat this skill as suspicious until the developer clarifies packaging, hosting, and how signing is performed securely.Like a lobster shell, security has layers — review code before you run it.
latestvk978xn0rmy95jq8qwexfnbsm1x83jym0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.