Agent Well-Known Readiness Audit
PassAudited by ClawScan on May 14, 2026.
Overview
The skill is coherent and transparent about using a paid x402 backend and optional local installer, but users should review payment limits and install paths before use.
This looks safe to install if you want a workflow for auditing agent/API readiness. Before use, confirm you are comfortable sending the target origin to the documented backend, configure wallet spend limits for x402 payments, and run the optional installer only with a reviewed target directory.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill can reveal which API or agent origin you are evaluating and may generate network traffic to that origin and to the provider backend.
The workflow directs the agent to make network probes and possibly call a paid backend. This is central to the stated audit purpose, but users should know that target origins and the backend may receive requests.
1. Normalize a target origin or URL. 2. Check free discovery surfaces first: root descriptor, .well-known agent-card/mcp/ai-plugin/x402, OpenAPI, agent-discovery, llms.txt when present. 3. Call the paid readiness_report when the free surfaces are missing, contradictory, or a pre-integration decision needs evidence.
Use it only on public or user-approved targets, keep the free-checks-first workflow, and review the target and cost before any paid backend call.
If your agent has a wallet policy that allows it, the skill may spend small USDC amounts for the documented paid endpoints.
The skill can involve wallet/payment authority through an x402-capable client. The artifacts disclose the payment mechanism and also instruct agents not to request private keys or bypass approval controls.
The backend uses x402 USDC on Base. A request without payment returns an HTTP 402 payment envelope. A capable x402 client can pay and retry automatically; otherwise surface the payment requirements to the user/operator.
Set explicit wallet spending limits and require review of the 402 payment envelope, including price, network, asset, payTo, and resource, before payment.
Running the installer changes local OpenClaw skill files, and using --force can replace an existing installed copy.
The optional installer is a local Python script that writes the package into a skills directory and can remove an existing destination when --force is provided. This is documented and purpose-aligned, but it is still local file modification authority.
if dst.exists():
if not force:
raise SystemExit(f"target exists: {dst} (pass --force to overwrite)")
shutil.rmtree(dst)
...
shutil.copytree(src, dst, ignore=ignore)Run the installer only from a reviewed package, verify checksums first, use a specific skills directory, and avoid --force unless you intend to overwrite the existing skill.