ClawHub
Back to skill

Security audit

x402 Payment Protocol

Security checks across malware telemetry and agentic risk

Overview

This payment skill does what it says, but it can automatically authorize real USDC payments without built-in confirmation or spend limits.

Install only if you intend to let an agent or script make x402 crypto payments. Use a dedicated low-balance wallet, restrict use to trusted URLs, review the amount, recipient, network, and token before signing, and avoid exposing a main wallet private key through environment variables or wallet files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example performs an automatic paid request using a live wallet, but it does not clearly warn that calling `x402Fetch` can spend real USDC and that such payments may be irreversible. In an agent skill context, copy-pasted examples are often executed as-is, so omitting an explicit spending confirmation and real-funds warning increases the risk of unintended financial loss.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The `conway-credits.mjs` and `conway-domain.mjs` examples directly initiate paid operations, yet the documentation does not clearly state that running these commands will spend wallet funds and may create irreversible purchases. Because these are simple one-line commands, users or agents may execute them without recognizing the financial consequences.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function automatically signs an EIP-3009 authorization derived entirely from a server-provided 402 response and immediately retransmits it in the X-Payment header without any user confirmation, policy checks, origin allowlisting, or validation that the payee/asset/domain are trusted. In this context, that means any endpoint returning a crafted 402 challenge can induce the client to create a transferable payment authorization, which is especially dangerous because the signed payload may be usable beyond the immediate HTTP exchange depending on downstream handling and token contract semantics.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal