Neckr0ik X402 Payments
v1.0.0x402 payment protocol for AI agents. Enables autonomous micropayments using HTTP 402 status codes and stablecoins. Use when you need to pay for API access, a...
⭐ 0· 216·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (x402 micropayments) align with the included code: the client checks for HTTP 402 responses, constructs payment requests, stores receipts, and simulates signing/submission. Requiring a wallet/private key is coherent for signing payments. However, the SKILL.md advertises a CLI named 'neckr0ik-x402-payments' and Python import examples, while the repository only includes scripts/x402.py and no install spec — that mismatch is unexplained.
Instruction Scope
SKILL.md instructs the agent to set wallet.private_key (or use environment variable X402_PRIVATE_KEY) and to run CLI commands. The skill's runtime instructions reference storing keys and writing history locally. The declared metadata lists no required env vars, but the docs explicitly mention X402_PRIVATE_KEY; that is an access/instruction mismatch. The instructions also direct creation and use of a local ~/.x402 directory (config, wallet.json, history.jsonl), which grants the skill write/read access to local files containing sensitive data (private keys, transaction history).
Install Mechanism
There is no install specification (instruction-only), but a Python script scripts/x402.py is included. Because there's no install step or packaging, the SKILL.md's CLI name may not exist on PATH; operators would need to run the Python script directly or install it themselves. Lack of an install mechanism is lower-risk than arbitrary downloads, but the mismatch reduces clarity about how code will actually run.
Credentials
The skill handles highly sensitive data (wallet private keys) and suggests storing them either via a config command (which likely writes plaintext wallet.json) or the environment variable X402_PRIVATE_KEY. Yet requires.env in the metadata is empty. The skill does not declare or justify this sensitive access in registry metadata, and there is no guidance that private keys will be encrypted at rest. Requesting or handling private keys without declaring them is disproportionate and warrants caution.
Persistence & Privilege
The skill creates a per-user config directory (~/.x402) and writes wallet and history files. always:false (not force-installed) and it does not request system-wide privileges. Writing config and history is consistent with a payments client, but persistent local storage of private keys and unencrypted receipts increases risk — the skill will keep a permanent local footprint in the user's home directory.
What to consider before installing
This skill implements an autonomous micropayments client and will create ~/.x402 and write wallet and history files. Before installing: (1) Confirm how the CLI is meant to be run—SKILL.md names 'neckr0ik-x402-payments' but only scripts/x402.py is included. (2) Treat any private key as highly sensitive: do not provide your main funds wallet. Ask the author whether private keys are encrypted at rest; if not, assume wallet.json and history are plaintext. (3) Prefer signing transactions offline or with a hardware wallet rather than storing X402_PRIVATE_KEY in env or config. (4) Verify facilitator endpoints and network behavior (no hard-coded remote upload was found, but facilitator URLs come from servers you contact). (5) If you cannot audit the remaining/truncated code or the references/ facilitator lists, consider using a throwaway wallet or rejecting the skill. The mismatches and plaintext key handling are the primary reasons for caution.Like a lobster shell, security has layers — review code before you run it.
latestvk97a1ghs442s5d7900ce3cw35982d9x3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.