x402-cli
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for x402 payments, but it gives an agent a raw crypto wallet private key and an auto-pay workflow without clear spend limits or approval rules.
Install only if you are comfortable letting this tool sign USDC payments. Use a dedicated low-value wallet, pin or verify the CLI version, always probe the endpoint first, and require explicit approval before any paid request.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or installed CLI is misused, funds in the configured wallet could be spent.
The skill requires a raw wallet signing key that can authorize USDC payments. The artifacts do not define a scoped token, spending cap, or enforced approval boundary.
Set `EVM_PRIVATE_KEY` environment variable with a wallet private key that holds USDC on the target network
Use only a dedicated low-balance wallet, avoid main wallets, and set explicit per-use approval and spending limits outside the skill.
An agent could make unintended USDC payments while trying to access an endpoint.
The documented payment command uses `-y` for the full sign-and-pay flow to an arbitrary URL, while the instructions do not require the agent to stop after probing and get explicit user confirmation of price and destination.
The tool handles the full payment flow: probe → sign → pay → return response. ... `x402-cli --json -y <url>`
Require the agent to run the probe first, show the amount/network/recipient to the user, and only run the `-y` payment command after explicit approval.
A future upstream change could alter the behavior of the binary that receives the private key.
The Go install path fetches the latest external CLI version rather than a pinned reviewed version. This is a common install pattern, but it is important because the binary handles wallet signing.
package: github.com/razvanmacovei/x402-cli@latest
Prefer a pinned version or verified release, and review the upstream project before configuring a wallet key.