Skillv1.0.0

ClawScan security

x402 Private Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 15, 2026, 1:41 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and instructions line up with its stated purpose (making x402-paid HTTP requests), but it asks you to generate and store a full EVM private key and runs an npm install in your home directory — so take normal crypto and dependency precautions before installing.
Guidance: This skill appears to do what it claims, but it requires you to create and store an EVM private key and installs npm packages into ~/.x402-client. Before installing: (1) use a throwaway/test wallet with only the small testnet funds needed, not a mainnet or valuable key; (2) inspect the npm dependencies (@x402/* and viem) and/or run npm install in a sandbox/container if you are unsure; (3) prefer storing the key in a file with restrictive permissions (mode 600) rather than exposing it widely in your environment; (4) verify the service URL(s) you intend to call (the provided search endpoint is a Cloudflare tunnel and may be ephemeral); and (5) if you need stronger assurance, request a signed upstream source or official homepage for the x402 packages before trusting them.

Review Dimensions

Purpose & Capability: okThe name/description promise (x402 paid requests / paid search) matches the included code: a wallet generator, a fetch wrapper that handles 402/payment signing, and a services list. The scripts and docs are coherent with this purpose.
Instruction Scope: noteSKILL.md instructs the agent/user to run setup.sh, generate a wallet, store the private key (env or file), and call x402-fetch.mjs. The scripts only read a local key and sign payments; they do not attempt to read unrelated files or send arbitrary data elsewhere. The instructions do require you to keep and expose a private key to the local environment (sensitive) and to run commands from ~/.x402-client.
Install Mechanism: noteInstallation is a local npm install (setup.sh) into ~/.x402-client which will fetch @x402/fetch, @x402/evm and viem from the npm registry. This is a common pattern but does execute network installs and writes files to your home directory; review those npm packages if you need higher assurance.
Credentials: concernThe skill requires access to a full EVM private key (via X402_PRIVATE_KEY, X402_KEY_FILE, or --key-file). That is necessary for signing payments but is highly sensitive. Registry metadata did not declare required env vars, even though SKILL.md relies on them — a metadata/documentation mismatch you should note.
Persistence & Privilege: okThe skill does not request always:true or modify other skills; it installs to and operates within ~/.x402-client. That local persistence is limited in scope and expected for a CLI-style client.