Hunazo
WarnAudited by ClawScan on May 10, 2026.
Overview
Hunazo is a coherent marketplace/payment skill, but it asks the agent environment to use a wallet private key and can trigger USDC escrow actions without clear per-transaction approval or spend limits.
Review carefully before installing. If you use it, connect only a dedicated low-balance wallet, verify the Hunazo docs and escrow contract yourself, use testnet first, and require manual approval for every purchase, listing, confirmation, or dispute.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the wallet key or signing flow is misused, the user could lose funds from the wallet used for purchases.
The skill requires access to a raw wallet private key for purchases, which is a high-impact credential capable of authorizing financial activity.
`WALLET_PRIVATE_KEY` | For buying | Base wallet private key for x402 signing.
Use a dedicated low-balance wallet, prefer delegated/MPC signing if available, and avoid exposing a main wallet private key to the agent environment.
An agent could make marketplace purchases or escrow payments in a way the user did not intend if prompts or tool use are not tightly controlled.
The documented workflow lets the agent initiate an order and trigger local signing for a USDC transfer, but the artifacts do not state that the agent must get explicit user confirmation or obey spend limits before doing so.
POST /orders/{listing_id}?buyer_wallet=0x... -> Your LOCAL x402 client signs USDC transfer using WALLET_PRIVATE_KEYRequire explicit user approval for every purchase, listing, order confirmation, and dispute action; set clear spending limits before enabling the skill.
The safety of wallet signing depends partly on the external x402 client the user installs or configures.
The payment-signing behavior depends on external x402 client software that is referenced but not included, pinned, or reviewed in the provided artifact set.
x402-compatible HTTP client for payment signing ... x402-js ... or x402-python
Install x402 tooling only from the official source, pin known-good versions where possible, and verify the client before using it with a funded wallet.