Neckr0ik X402 Payments
x402 payment protocol for AI agents. Enables autonomous micropayments using HTTP 402 status codes and stablecoins. Use when you need to pay for API access, a...
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 147 · 1 current installs · 1 all-time installs
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (x402 micropayments) align with the included code: the client checks for HTTP 402 responses, constructs payment requests, stores receipts, and simulates signing/submission. Requiring a wallet/private key is coherent for signing payments. However, the SKILL.md advertises a CLI named 'neckr0ik-x402-payments' and Python import examples, while the repository only includes scripts/x402.py and no install spec — that mismatch is unexplained.
Instruction Scope
SKILL.md instructs the agent to set wallet.private_key (or use environment variable X402_PRIVATE_KEY) and to run CLI commands. The skill's runtime instructions reference storing keys and writing history locally. The declared metadata lists no required env vars, but the docs explicitly mention X402_PRIVATE_KEY; that is an access/instruction mismatch. The instructions also direct creation and use of a local ~/.x402 directory (config, wallet.json, history.jsonl), which grants the skill write/read access to local files containing sensitive data (private keys, transaction history).
Install Mechanism
There is no install specification (instruction-only), but a Python script scripts/x402.py is included. Because there's no install step or packaging, the SKILL.md's CLI name may not exist on PATH; operators would need to run the Python script directly or install it themselves. Lack of an install mechanism is lower-risk than arbitrary downloads, but the mismatch reduces clarity about how code will actually run.
Credentials
The skill handles highly sensitive data (wallet private keys) and suggests storing them either via a config command (which likely writes plaintext wallet.json) or the environment variable X402_PRIVATE_KEY. Yet requires.env in the metadata is empty. The skill does not declare or justify this sensitive access in registry metadata, and there is no guidance that private keys will be encrypted at rest. Requesting or handling private keys without declaring them is disproportionate and warrants caution.
Persistence & Privilege
The skill creates a per-user config directory (~/.x402) and writes wallet and history files. always:false (not force-installed) and it does not request system-wide privileges. Writing config and history is consistent with a payments client, but persistent local storage of private keys and unencrypted receipts increases risk — the skill will keep a permanent local footprint in the user's home directory.
What to consider before installing
This skill implements an autonomous micropayments client and will create ~/.x402 and write wallet and history files. Before installing: (1) Confirm how the CLI is meant to be run—SKILL.md names 'neckr0ik-x402-payments' but only scripts/x402.py is included. (2) Treat any private key as highly sensitive: do not provide your main funds wallet. Ask the author whether private keys are encrypted at rest; if not, assume wallet.json and history are plaintext. (3) Prefer signing transactions offline or with a hardware wallet rather than storing X402_PRIVATE_KEY in env or config. (4) Verify facilitator endpoints and network behavior (no hard-coded remote upload was found, but facilitator URLs come from servers you contact). (5) If you cannot audit the remaining/truncated code or the references/ facilitator lists, consider using a throwaway wallet or rejecting the skill. The mismatches and plaintext key handling are the primary reasons for caution.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
x402 Payments for AI Agents
Autonomous payment protocol for AI agents using HTTP 402 + stablecoins.
What is x402?
x402 is an open standard for internet-native payments. It enables AI agents to pay for API calls automatically using stablecoins, without accounts or human intervention.
How it works:
- Agent requests API endpoint
- Server responds with HTTP 402 + payment details
- Agent signs payment authorization
- Payment settled on blockchain
- Request fulfilled automatically
Key benefits:
- No accounts or API keys
- Instant settlement
- Micropayments per request
- Blockchain-agnostic (EVM + Solana)
- Perfect for autonomous agents
Quick Start
Check if endpoint supports x402
neckr0ik-x402-payments check https://api.example.com/premium
Pay for API access
neckr0ik-x402-payments pay https://api.example.com/premium --amount 0.01
Accept payments (for your API)
neckr0ik-x402-payments serve --port 8080 --price 0.01
Payment Flow
Agent x402 Facilitator API Server
| | |
|-- GET /premium ------>|----------------------->|
| | |
|<-- HTTP 402 -----------|------------------------|
| (payment required) | |
| {amount, address, | |
| chain, facilitator}| |
| | |
|-- Sign payment ------>| |
| | |
| |-- Submit to chain --->|
| | |
| |<-- Confirmation ------|
| | |
|-- GET /premium --------|----------------------->|
| PAYMENT-SIGNATURE | |
| | |
|<-- 200 OK -------------|------------------------|
| (data) | |
Supported Chains
- Ethereum (Mainnet, L2s)
- Polygon
- Base
- Arbitrum
- Optimism
- Solana
Supported Stablecoins
- USDC
- USDT
- DAI
Commands
check
Check if an endpoint supports x402 payments.
neckr0ik-x402-payments check <url>
Options:
--timeout <ms> Request timeout (default: 10000)
pay
Pay for API access and receive data.
neckr0ik-x402-payments pay <url> [options]
Options:
--amount <amount> Maximum amount to pay (in USD)
--chain <chain> Preferred chain (default: base)
--token <token> Stablecoin token (default: usdc)
--wallet <address> Wallet to use for payment
--dry-run Show payment details without paying
serve
Start an x402-enabled API server.
neckr0ik-x402-payments serve [options]
Options:
--port <port> Server port (default: 8080)
--price <amount> Price per request (in USD)
--chain <chain> Accept payments on chain (default: base)
--token <token> Accept stablecoin (default: usdc)
--wallet <address> Receiving wallet address
balance
Check your payment wallet balance.
neckr0ik-x402-payments balance [options]
Options:
--chain <chain> Chain to check (default: all)
history
View payment history.
neckr0ik-x402-payments history [options]
Options:
--limit <n> Number of transactions (default: 10)
--chain <chain> Filter by chain
Configuration
Set up your wallet for payments:
# Set wallet private key (stored securely)
neckr0ik-x402-payments config set wallet.private_key <key>
# Or use environment variable
export X402_PRIVATE_KEY=<key>
# Set receiving address for payments
neckr0ik-x402-payments config set wallet.address <address>
Use Cases
As an Agent (Pay for API Access)
# Before: Need API key, account, subscription
response = requests.get("https://api.example.com/data",
headers={"Authorization": "Bearer YOUR_API_KEY"})
# After: Autonomous payment, no account needed
response = x402.get("https://api.example.com/data")
As a Provider (Accept Payments)
from x402 import PaymentMiddleware
app = Flask(__name__)
app.wsgi_app = PaymentMiddleware(app.wsgi_app, price=0.01)
@app.route("/premium-data")
def premium_data():
return {"data": "only accessible after payment"}
# Requests to /premium-data automatically require payment
Security
- Private keys never leave your machine
- Payments signed locally
- Transaction broadcast through facilitators
- All settlements verified on-chain
- Payment receipts stored for audit
See Also
references/x402-spec.md— Full protocol specificationreferences/facilitators.md— List of known facilitatorsscripts/x402.py— Payment implementation
Files
3 totalSelect a file
Select a file to preview.
Comments
Loading comments…