ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

x402 Private Web Tools

Private web tools for AI agents — search, scrape, and screenshot the web with x402 micropayments (USDC on Base). Zero logging, no API keys, no accounts. Pay...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 475 · 0 current installs · 0 all-time installs
by@kodos-vibe
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, scripts, and CLI all align: the tool pays for web search/scrape/screenshot via an x402 payment SDK using an EVM wallet. However wallet-gen.mjs prints and documents Base Sepolia (testnet) while SKILL.md repeatedly instructs funding on Base mainnet — this mismatch is confusing and could cause users to fund the wrong chain.
Instruction Scope
Runtime instructions are narrowly scoped to installing the client, generating a wallet, and making paid requests to the declared gateway (https://search.reversesandbox.com). The scripts only read the wallet key (env var or key file) and perform network requests to the gateway; they do not access unrelated system paths or secrets.
!
Install Mechanism
setup.sh runs npm install in the user's ~/.x402-client directory and writes package.json, pulling three packages (@x402/fetch, @x402/evm, viem) from the npm registry. This is a standard but non-trivial supply-chain action: it will fetch and install third-party code into your home directory. The packages are not verified here and the skill includes no pinned source/release URLs.
!
Credentials
The skill requires an EVM private key to sign payments and instructs users to export X402_PRIVATE_KEY or store a key file. That is necessary for payments but is highly sensitive. The metadata declared no required env vars even though the scripts use X402_PRIVATE_KEY and X402_KEY_FILE. Also wallet-gen prints private keys to stdout (unless saved) which can leak the secret if logs are captured — the mismatch between 'mainnet' vs 'sepolia' in docs increases risk of mis-funding.
Persistence & Privilege
The skill is not always-on and does not request elevated system-wide privileges. It installs files into ~/.x402-client (its own directory) and does not modify other skills or global agent settings. Autonomous invocation is allowed by default (normal).
What to consider before installing
This appears to be an instruction-only client that installs npm packages and requires you to supply an EVM private key to pay per request. Before installing: (1) verify the npm packages (@x402/* and viem) and the GitHub repo referenced for the MCP server are legitimate and reviewed; (2) prefer saving the private key to a file with restrictive permissions (600) rather than exporting it into your shell long-term; (3) use an ephemeral wallet funded with minimal USDC/ETH (so a compromised key has limited impact); (4) note the wallet-gen script mentions Base Sepolia (testnet) while the README says Base mainnet — confirm which network is intended before sending funds; (5) be aware npm install will pull code from the registry into your home dir (supply-chain risk). If you are uncomfortable with those risks or cannot verify the package sources, do not install or fund a real mainnet wallet.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk973srp23z7z6j2jh2nc341zmd81a3ew

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

x402 Private Web Tools

Search, scrape, and screenshot the web privately. Uses the x402 payment protocol — your agent pays per request with USDC on Base mainnet. No API keys, no accounts, no logging.

Services:

  • 🔍 Web Search — Multi-engine private search ($0.002/query)
  • 🕸️ Web Scrape — Extract clean markdown from any URL ($0.005/page)
  • 📸 Screenshot — Capture any URL as PNG/JPEG ($0.002/shot)

Gateway: https://search.reversesandbox.com

Prerequisites

  • Node.js 18+
  • A Base mainnet wallet with ETH (gas) and USDC (payments)

First-Time Setup

1. Install dependencies

bash <skill-dir>/scripts/setup.sh

Installs the x402 SDK to ~/.x402-client/. Only needed once.

2. Generate a wallet (if you don't have one)

node <skill-dir>/scripts/wallet-gen.mjs --out ~/.x402-client/wallet.key

3. Fund the wallet

Send USDC and a small amount of ETH (for gas) on Base mainnet to the wallet address printed by wallet-gen.

  • USDC on Base: Bridge from any chain or buy on an exchange
  • ETH on Base: ~$0.50 is enough for thousands of requests

4. Store the key

export X402_PRIVATE_KEY=$(cat ~/.x402-client/wallet.key)

Or pass --key-file ~/.x402-client/wallet.key to each request.

Usage

All commands run from ~/.x402-client/:

cd ~/.x402-client && node <skill-dir>/scripts/x402-fetch.mjs "<url>" --key-file wallet.key

Web Search ($0.002/query)

node <skill-dir>/scripts/x402-fetch.mjs \
  "https://search.reversesandbox.com/web/search?q=latest+AI+news&count=10" \
  --key-file ~/.x402-client/wallet.key

Parameters: q (required), count (1-20, default 10), offset (default 0)

Response:

{
  "query": { "original": "latest AI news" },
  "web": {
    "results": [
      { "title": "...", "url": "...", "description": "..." }
    ]
  }
}

Web Scrape ($0.005/page)

node <skill-dir>/scripts/x402-fetch.mjs \
  "https://search.reversesandbox.com/scrape/extract" \
  --method POST \
  --body '{"url": "https://example.com", "format": "markdown"}' \
  --key-file ~/.x402-client/wallet.key

Body (JSON): url (required), format ("markdown"|"text", default "markdown"), includeLinks (bool), timeout (ms)

Response:

{
  "title": "Example Domain",
  "content": "# Example Domain\nThis domain is for use in...",
  "url": "https://example.com",
  "timestamp": "2026-02-16T09:00:00.000Z",
  "format": "markdown"
}

Screenshot ($0.002/shot)

node <skill-dir>/scripts/x402-fetch.mjs \
  "https://search.reversesandbox.com/screenshot/?url=https://example.com&width=1280&height=720" \
  --key-file ~/.x402-client/wallet.key \
  --save screenshot.png

Parameters: url (required), format (png|jpeg, default png), width (320-3840), height (200-2160), fullPage (true|false), quality (1-100, jpeg only)

Returns: Binary PNG or JPEG image. Use --save <file> to write to disk.

MCP Server

For MCP-compatible agents (Claude, etc.), use the MCP server:

# Install
npm install -g x402-tools-mcp

# Run (set your wallet key)
X402_PRIVATE_KEY=0x... x402-tools-mcp

GitHub: https://github.com/kodos-vibe/x402-tools-mcp

Provides tools: web_search, web_scrape, screenshot

Free Endpoints (no payment required)

  • GET /health — Service status
  • GET /routes — List all endpoints with prices

Troubleshooting

  • "insufficient funds": Wallet needs more USDC or ETH on Base mainnet.
  • 402 with no auto-payment: Ensure setup.sh was run and you're in ~/.x402-client/.
  • Slow scrape (10s+): Complex JS-heavy pages take longer. Use the timeout parameter.
  • Empty search results: Try different query terms. Some niche queries may return fewer results.

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…