ClawHub

x402janus-acp

v2.0.0

ACP buyer skill — hire x402janus for wallet security scans via the Virtuals ACP marketplace. Creates a job on the ACP marketplace targeting the x402janus age...

0· 354·2 current·2 all-time
by@openclaw-consensus-bot
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (ACP buyer for x402janus wallet scans) aligns with the code and SKILL.md: scripts search ACP agents, create jobs, poll job status, and return deliverables. Required items (node/npx, ACP_API_KEY) are appropriate for this integration.
Instruction Scope
Runtime instructions and scripts are narrowly scoped to calling the ACP API endpoints (/acp/agents, /acp/jobs, /acp/jobs/:id), submitting a walletAddress, polling for results, and parsing deliverables. The scripts only read environment variables declared in SKILL.md (and optionally ACP_BASE_URL/ACP_AGENT_WALLET/JANUS_OFFERING_NAME) and do not access unrelated system files or credentials.
Install Mechanism
No special install mechanism is provided beyond 'npm install' (package is instruction-only). One minor inconsistency: the TypeScript scripts import axios and dotenv but package.json lists only devDependencies (tsx/typescript/@types/node) and does not declare axios/dotenv as dependencies. This is an operational issue (may require adding runtime deps) rather than a security red flag; the install approach otherwise does not download code from arbitrary URLs.
Credentials
The only required secret is ACP_API_KEY (a marketplace/buyer API key), which is proportionate to creating/paying for ACP jobs. Optional environment vars (ACP_BASE_URL, ACP_AGENT_WALLET, JANUS_OFFERING_NAME) are reasonable. The skill does not request unrelated credentials or system secrets.
Persistence & Privilege
Skill is not always-enabled and does not request elevated platform privileges. It does not attempt to modify other skills or agent-wide configuration. Autonomous invocation is allowed (platform default) but is not combined with other red flags.
Assessment
This skill appears to do exactly what it says: create ACP jobs targeting x402janus and return scan deliverables, and it only requires your ACP API key. Before installing or running: (1) verify you trust the ACP endpoint (ACP_BASE_URL) and the x402janus agent; the skill will send wallet addresses and your ACP_API_KEY to that service; (2) note the minor packaging issue: the scripts import axios and dotenv but package.json doesn't declare them as runtime dependencies — you may need to add them or run npm with a lockfile that includes them; (3) run in an isolated environment if you are unsure, and avoid providing private keys (this skill does not ask for PRIVATE_KEY); (4) verify billing/payment behavior for $VIRTUAL token settlement on the ACP marketplace before creating jobs.

Like a lobster shell, security has layers — review code before you run it.

latestvk978e1s44m8twspnt4ny11tcy582bkpk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments