ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pay For Service

Make a paid API request to an x402 endpoint with automatic USDC payment. Use when you or the user want to call a paid API, make an x402 request, use a paid service, or pay for an API call. Use after finding a service with search-for-service.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 725 · 5 current installs · 5 all-time installs
by@0xRAG
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes exactly how to make x402 paid requests using the 'npx awal' CLI, which aligns with the skill name and description. However, the skill metadata declares no required binaries while the runtime instructions assume npx (and thus Node/npm) are available — a mismatch between declared requirements and actual runtime needs.
Instruction Scope
Instructions stay within the stated purpose (call a paid API, check wallet status/balance, set max payment). They do, however, direct the agent to perform real monetary transactions and to send request payloads to arbitrary external endpoints, so callers must verify and trust the target URL and the payloads before invoking.
!
Install Mechanism
There is no install spec, but the skill requires running 'npx awal@latest', which downloads and executes the latest package from the npm registry at runtime. Running npx @latest is a supply-chain risk (remote code execution) and should be treated with caution; the skill does not recommend pinning a vetted version or provide guidance about vetting the package.
Credentials
The skill declares no required environment variables or credentials, which is consistent with an instruction-only helper. In practice it requires an authenticated wallet and USDC balance (handled by the local 'awal' CLI), so sensitive wallet state or keys (outside the skill manifest) will be used — this is proportional to the payment purpose but is sensitive and not explicitly documented in the manifest.
Persistence & Privilege
Skill is user-invocable, not always-enabled, and does not request persistent system-wide privileges or modify other skills. No elevated persistence is requested.
What to consider before installing
This skill is coherent with its stated purpose but exercise caution before using it: 1) Verify and trust the target x402 endpoint before sending requests — the command will perform real USDC payments. 2) Prefer pinning a specific vetted version of 'awal' (for example 'npx awal@1.2.3' or installing a vetted binary) instead of 'awal@latest' to reduce supply-chain risk. 3) Confirm the wallet you will use is intended for these payments and contains only funds you are willing to spend; test with a small max-amount first. 4) Review the 'awal' package and its maintainers (npm page, repo, changelog) before executing remote code. 5) If you need stricter controls, run the command in an isolated environment or with a wallet that has limited funds/permissions. If you want, provide the 'awal' package version you trust or the environment where npx will run so the assessment can be updated.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk97ee5s9cxmma2k3zq9hf9x1qd80zpq4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Making Paid x402 Requests

Use the npx awal@latest x402 pay command to call paid API endpoints with automatic USDC payment on Base.

Confirm wallet is initialized and authed

npx awal@latest status

If the wallet is not authenticated, refer to the authenticate-wallet skill.

Command Syntax

npx awal@latest x402 pay <url> [-X <method>] [-d <json>] [-q <params>] [-h <json>] [--max-amount <n>] [--json]

Options

OptionDescription
-X, --method <method>HTTP method (default: GET)
-d, --data <json>Request body as JSON string
-q, --query <params>Query parameters as JSON string
-h, --headers <json>Custom HTTP headers as JSON string
--max-amount <amount>Max payment in USDC atomic units (1000000 = $1.00)
--correlation-id <id>Group related operations
--jsonOutput as JSON

USDC Amounts

X402 uses USDC atomic units (6 decimals):

Atomic UnitsUSD
1000000$1.00
100000$0.10
50000$0.05
10000$0.01

IMPORTANT: Always single-quote amounts that use $ to prevent bash variable expansion (e.g. '$1.00' not $1.00).

Examples

# Make a GET request (auto-pays)
npx awal@latest x402 pay https://example.com/api/weather

# Make a POST request with body
npx awal@latest x402 pay https://example.com/api/sentiment -X POST -d '{"text": "I love this product"}'

# Limit max payment to $0.10
npx awal@latest x402 pay https://example.com/api/data --max-amount 100000

Prerequisites

  • Must be authenticated (npx awal@latest status to check, see authenticate-wallet skill)
  • Wallet must have sufficient USDC balance (npx awal@latest balance to check)
  • If you don't know the endpoint URL, use the search-for-service skill to find services first

Error Handling

  • "Not authenticated" - Run awal auth login <email> first, or see authenticate-wallet skill
  • "No X402 payment requirements found" - URL may not be an x402 endpoint; use search-for-service to find valid endpoints
  • "Insufficient balance" - Fund wallet with USDC; see fund skill

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…