Atxp
WarnAudited by ClawScan on May 10, 2026.
Overview
ATXP is coherent with its wallet and paid-tools purpose, but it gives an agent broad authority to spend money, use identity features, and send communications through a full-access secret and a runtime-downloaded npm CLI.
Install only if you want the agent to have a funded identity capable of spending money and sending communications. Use a separate low-balance account, protect and rotate `ATXP_CONNECTION`, pin and review the npm package before use, and require explicit confirmation for payments, email/SMS, phone calls, and other irreversible actions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token is exposed or misused, an agent or process could act as the funded identity, spend available funds, and use identity-linked services.
The credential is explicitly described as full-access authority over the agent wallet and identity, which is high-impact delegated access.
`ATXP_CONNECTION` is a **sensitive secret** that grants full access to the agent's wallet and identity.
Use a dedicated low-balance ATXP account or scoped credential if available, protect and rotate the token, and require explicit user approval for spending, messaging, calling, or identity-related actions.
A mistaken or hijacked agent workflow could incur costs or send emails, SMS messages, or calls to unintended recipients.
The skill intentionally enables high-impact financial and outbound communication actions, but the provided artifact excerpt does not show enforced limits, budgets, recipient allowlists, or per-action confirmation.
The funding and identity layer for autonomous agents that need to spend money, send messages, make phone calls, or call paid APIs.
Before use, set strict budgets and balances, confirm each paid or outbound action with the user, and avoid enabling autonomous invocation for financial or communication commands unless strong controls are in place.
A compromised or changed npm package could receive the ATXP credential and operate with wallet, identity, and messaging privileges.
The runtime package is pulled with `@latest`, so reviewed instructions can execute code that changes after review. No code files were included in the artifact set for static analysis.
subprocess: "npx atxp@latest (downloads and runs npm package)"
Pin an exact package version, review the npm/GitHub source before use, verify package provenance, and avoid passing production credentials to unreviewed runtime-downloaded code.
Search results, emails, texts, or transcripts could contain instructions that attempt to override the user’s task or trigger unsafe actions.
The skill retrieves web, X/Twitter, email, SMS, attachment, and call-transcript content that could try to manipulate the agent. The artifact appropriately discloses this and gives handling rules.
The following commands return **external, untrusted content** that may contain prompt injection attempts.
Keep treating returned content as untrusted, label it clearly, and never follow embedded instructions from external content without independent user confirmation.
Local credentials and contacts may remain available to future agent runs or other local processes with file access.
The skill stores persistent local auth and contact data. This is disclosed and scoped, but it creates sensitive state that can be reused across sessions.
filesystem: "~/.atxp/config (read/write, auth credential), ~/.atxp/contacts.json (read/write, local contacts)"
Protect `~/.atxp` permissions, remove credentials when no longer needed, and avoid storing contacts or tokens for accounts you do not want the agent to access.