xClaw02
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent crypto-payment skill, but users should treat it carefully because it can spend USDC, handle wallet keys, and relies on external packages not included in the artifact.
Install only if you intend to let the agent help with x402/USDC payments. Use a dedicated low-balance wallet, protect private keys and mnemonics, verify the package source, and require explicit confirmation of the URL, amount, token, network, and recipient before any payment.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could spend the user's crypto funds on the wrong URL, amount, network, or recipient.
The skill can trigger real USDC payments to external resources. The instruction is purpose-aligned and includes confirmation and max-amount guidance, so this is a noteworthy capability rather than a concern.
"Pay for this API" | Use `xclaw02 pay <url> --max-amount <amount>` - always confirm amount with user first
Confirm the exact URL, price, token, network, recipient, and spending limit before allowing any payment command.
Anyone or any tool with access to the private key may be able to authorize payments from the wallet.
The skill uses a private key to sign x402 payments. That is expected for a crypto-payment skill, but the private key is sensitive account authority.
const signer = await createSigner('eip155:8453', process.env.XCLAW02_PRIVATE_KEY);Use a dedicated low-balance wallet, store keys securely, avoid sharing mnemonics/private keys, and set conservative max payment amounts.
Installing or running the wrong package version could expose wallet configuration or execute unreviewed code locally.
The setup depends on external npm/Python packages that are not included in the reviewed artifact and are not pinned in the instructions. This is common for CLI integrations, but users should verify package provenance before using it with wallet keys.
npx xclaw02 openclaw init ... pip install xclaw02
Install only from trusted package registries, verify the publisher/repository, prefer pinned versions where possible, and do not load a high-value wallet into unreviewed tooling.