ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

x402-cli

v1.0.3

Pay for x402 payment-gated HTTP endpoints using USDC stablecoins

0· 435·1 current·1 all-time
byRazvan Macovei@razvanmacovei
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary (x402-cli), install methods (brew/go) and the single required env var (EVM_PRIVATE_KEY) all align with a CLI that signs and submits USDC payments on EVM chains. Requested items are proportionate to the stated purpose.
Instruction Scope
SKILL.md only instructs using the x402-cli binary (probe, pay, POST, TLS flags) and to set EVM_PRIVATE_KEY. It does not direct reading unrelated files, exfiltration, or contacting unexpected endpoints. The presence of a --skip-verify/-k option for TLS is noted (useful for dev but can weaken security if misused).
Install Mechanism
Install options are standard: a Homebrew formula in a named tap and a go install from a GitHub package. These are expected for a CLI tool; no opaque downloads, pastebins, or IP-hosted archives are used. Verify the tap/repo before installing.
Credentials
Only EVM_PRIVATE_KEY is required and is the declared primary credential — appropriate for signing on-chain payments. This is a highly sensitive secret: the skill legitimately needs it, but supplying a private key exposes the ability to spend funds, so use a dedicated low-value wallet or more secure signing setup.
Persistence & Privilege
always is false and the skill does not request system config paths or persistent elevated privileges. Note: the skill can be invoked autonomously by the agent (normal default); combined with an EVM private key this means an autonomous agent could initiate real payments if allowed.
Assessment
This skill appears to do exactly what it claims, but it requires an EVM private key which can be used to spend tokens. Before installing or enabling it: 1) Inspect the GitHub repo (https://github.com/razvanmacovei/x402-cli) and the Homebrew tap to ensure the source is trustworthy. 2) Never use your main wallet private key — create a dedicated low-value wallet for this skill or use a remote/hardware signer if supported. 3) Consider restricting agent autonomy (disable autonomous invocation for this skill) if you don't want the agent to initiate payments without explicit approval. 4) Avoid using --skip-verify in production. 5) If you must store the key in environment variables, ensure the runtime environment is secure and secrets are rotated regularly.

Like a lobster shell, security has layers — review code before you run it.

latestvk975j9cjydrz1q19p1ea32c4xh81ts5x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsx402-cli
EnvEVM_PRIVATE_KEY
Primary envEVM_PRIVATE_KEY

Install

Homebrew
Bins: x402-cli
brew install razvanmacovei/tap/x402-cli
Go
Bins: x402-cli

Comments