Hunazo
Security checks across malware telemetry and agentic risk
Overview
Hunazo is a coherent marketplace/payment skill, but it asks for wallet-signing authority and can trigger real USDC/order actions without clear spending limits or approval guardrails.
Treat this as a real-money crypto trading integration. Install only if you are comfortable giving the agent environment wallet-signing capability, and use a dedicated low-balance wallet, explicit per-transaction approval, and spending limits before allowing purchases or other order actions.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or payment client signs an unintended transaction, USDC can move from the wallet; exposing a main wallet private key to an agent environment increases the blast radius.
The skill requires a raw wallet private key in the environment for purchases. Even though this is disclosed and purpose-aligned, it is high-impact signing authority over funds and the artifact does not define spending limits, wallet scope, or mandatory approval controls.
`WALLET_PRIVATE_KEY` | For buying | Base wallet private key for x402 signing. Read by local x402 client only — never sent to Hunazo.
Use a dedicated low-balance wallet or delegated wallet with per-transaction approval, prefer testnet for testing, and do not provide a primary wallet private key unless you have independent spending controls.
An agent using this skill could create purchases or marketplace state changes that cost money or affect the user's reputation if invoked too broadly.
The documented workflow enables paid order creation through signed on-chain payment. The skill also documents listing, confirm, and dispute endpoints, but does not clearly instruct the agent to obtain explicit user confirmation, enforce budgets, or verify order details before high-impact actions.
POST /orders/{listing_id}?buyer_wallet=0x... -> Your LOCAL x402 client signs USDC transfer using WALLET_PRIVATE_KEY ... -> Re-submit with X-PAYMENT headerRequire explicit user approval for each purchase, listing, confirmation, or dispute; set a maximum spend per transaction/session; and review recipient, amount, listing ID, and network before signing.
The safety of wallet signing depends partly on the separate x402 client and how it is installed/configured.
The skill depends on an external x402-compatible client for signing, but the artifact set contains no install spec, pinned package, or included code to review. This is expected for an instruction-only skill, but users should verify the client they install.
Requirements - x402-compatible HTTP client for payment signing - `WALLET_PRIVATE_KEY` env var ... - `curl` for API calls
Install x402 tooling only from trusted, official sources, pin versions where possible, and verify that it signs only the intended Base USDC transactions.