Back to skill
Skillv1.0.0
ClawScan security
Ntriq X402 Sentiment · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 17, 2026, 12:03 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's sentiment API usage is coherent, but it requires a payment header (X-PAYMENT) without declaring how that sensitive wallet/payment credential is obtained or protected — this gap could lead to users being asked to expose private keys or payment tokens.
- Guidance
- This skill legitimately calls an external sentiment API and charges $0.01 per call, but it omits how to produce or supply the required X-PAYMENT header. Before installing or using it: (1) Do not paste private keys or seed phrases into the agent — if a payment header must be supplied, prefer generating it client-side or using a single-purpose/burner wallet. (2) Ask the publisher how X-PAYMENT is produced and whether a short-lived payment token can be used instead of a private key. (3) Verify the API hostname (https://x402.ntriq.co.kr) and review their payment docs; consider testing with minimal funds on a disposable wallet. (4) If you need stronger assurance, request implementation code showing how the payment header is created so you can confirm it doesn't require exposing long-term secrets.
Review Dimensions
- Purpose & Capability
- noteThe name/description (sentiment + pay-per-call) match the SKILL.md: it calls a sentiment endpoint and charges $0.01 USDC. However, the skill does not declare any required credentials or environment variables even though the API requires an X-PAYMENT header for payment, which is a meaningful omission.
- Instruction Scope
- noteInstructions are narrowly scoped to calling POST https://x402.ntriq.co.kr/sentiment with a JSON body and X-PAYMENT header — no file reads, system paths, or unrelated network endpoints. But the doc gives no guidance on how to create/obtain the X-PAYMENT header or what the agent should do if it doesn't have one.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files, so nothing is written to disk or installed. This is low-risk from an install perspective.
- Credentials
- concernPayment requires an X-PAYMENT header (implying wallet signing or a payment token). The skill lists no required env vars or primary credential, so there's no declared, safe place for the agent to retrieve payment credentials. That mismatch raises a risk that the agent will prompt the user for sensitive wallet keys/tokens or that a user might paste private material into the agent.
- Persistence & Privilege
- okalways:false and no install actions. The skill does not request permanent presence or elevated agent privileges.