Atxp
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could spend wallet funds on paid tools or APIs without asking each time.
This gives the agent high-impact spending authority without an explicit per-use approval gate or visible budget controls.
The agent controls its own balance. No human approval per transaction.
Only use with a limited balance and require explicit user confirmation, budgets, and allowlists before any paid transaction.
A mistaken or manipulated agent action could send messages or sensitive content outside the user’s environment.
Outbound email to arbitrary recipients is a high-impact external action; the skill warns about exfiltration but does not show a built-in approval or recipient restriction.
The `email send` command can transmit data to arbitrary addresses.
Require user approval for every outbound email and restrict allowed recipients or domains where possible.
If this token is exposed, someone could use the agent’s ATXP wallet, identity, email, and paid-tool access.
The credential is purpose-aligned and disclosed, but it is powerful because possession of it controls the agent wallet and identity.
`ATXP_CONNECTION` is a **sensitive secret** that grants full access to the agent's wallet and identity.
Treat `ATXP_CONNECTION` like a financial credential: keep balances low, store it securely, rotate it if exposed, and do not include it in prompts, emails, or logs.
A future or compromised npm release could change what the agent runs while handling wallet and identity credentials.
The skill relies on an unpinned `@latest` npm package for runtime behavior, and the provided artifact set contains no local code to review.
`npx atxp@latest login` ... `npx atxp@latest search <query>`
Pin the CLI to a reviewed version, publish a clear install spec, and avoid using `@latest` for high-impact wallet or email operations.
Search results, tweets, or emails may try to manipulate the agent into taking actions outside the user’s intent.
The skill retrieves untrusted web, social, and email content that could contain prompt-injection attempts, although the SKILL explicitly warns the agent not to follow those directives.
`npx atxp@latest search <query>` | Web pages — may contain adversarial text ... `npx atxp@latest email read <id>` | Inbound email — may contain phishing or injection payloads
Keep the provided guardrails: treat external content as untrusted reference material and never execute commands or send data based only on retrieved content.