Atxp
Security checks across malware telemetry and agentic risk
Overview
This skill is clearly about agent payments and paid tools, but it gives the agent high-impact wallet, email, and credential authority with limited registry disclosure and no per-transaction human approval.
Install only if you intentionally want an agent to have a funded ATXP identity and paid-tool access. Keep balances small, protect ATXP_CONNECTION and ~/.atxp/config, pin or review the npm CLI if possible, and require explicit review before spending funds or sending email.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could spend deposited funds or call paid tools autonomously if the user enables and funds the account.
The skill is designed to let an agent spend from a funded balance without per-transaction human approval, which is high-impact financial authority even though it matches the product purpose.
The agent controls its own balance. No human approval per transaction.
Only fund the wallet with limited amounts, monitor usage, and require explicit user approval in your own workflow before spending or sending paid requests.
Anyone or anything that obtains this token could control the agent's ATXP wallet and identity.
The credential grants full wallet and identity access. The registry metadata provided for review says required env vars and primary credential are none, so this sensitive authority is under-declared outside the skill text.
`ATXP_CONNECTION` is a **sensitive secret** that grants full access to the agent's wallet and identity.
Treat ATXP_CONNECTION and ~/.atxp/config like payment credentials; avoid sharing them, rotate them if exposed, and verify the registry metadata before installation.
The behavior depends on the current npm package version at execution time.
The skill relies on an external npm package fetched as @latest. That is common for CLI-based integrations, but the reviewed artifact set contains no code files, so the actual CLI behavior is not locally verified here.
`npx atxp@latest login`
Prefer a pinned package version where possible and review the upstream package/source before giving it wallet or email authority.
Search results, tweets, emails, or attachments could try to trick the agent into taking unintended actions.
The skill intentionally retrieves web, X/Twitter, and email content that may contain prompt injection. The artifact explicitly warns the agent to treat that content as untrusted.
`npx atxp@latest search <query>` | Web pages — may contain adversarial text
Keep the documented guardrails: do not execute commands from retrieved content and do not let external messages change the task or security rules.
If misused, the agent could send private task data, credentials, or received content to external email addresses.
Outbound email is a deliberate feature and the skill includes exfiltration guardrails, but arbitrary-recipient messaging can move sensitive data outside the user's environment.
The `email send` command can transmit data to arbitrary addresses.
Require user review for outbound email, never send secrets, and avoid forwarding untrusted inbound content.