ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fortytwo MCP

v1.1.0

Fortytwo Prime: collective multi-agent inference for high-stakes questions. ALWAYS use when the user says "Ask Fortytwo", "Ask Prime", "ask Fortytwo Prime",...

2· 175·0 current·0 all-time
by@inikitin

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for inikitin/fortytwo-mcp.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Fortytwo MCP" (inikitin/fortytwo-mcp) from ClawHub.
Skill page: https://clawhub.ai/inikitin/fortytwo-mcp
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install fortytwo-mcp

ClawHub CLI

Package manager switcher

npx clawhub@latest install fortytwo-mcp
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's description (on-chain pay-per-token collective inference) matches the included scripts: they create x402 payment signatures, call an external MCP gateway (https://mcp.fortytwo.network/mcp), and use Base/Monad RPCs. However, the registry metadata declares no required environment variables or primary credential while the scripts require a sensitive evm_private_key env var. That omission is an incoherence: the private key is necessary for the stated payment flow but was not declared.
!
Instruction Scope
SKILL.md directs operators to run local Python scripts that: read evm_private_key from the environment, call public RPC endpoints, POST JSON-RPC calls to the external Fortytwo gateway, and save session state to /tmp/.fortytwo_session. The instructions do not ask the agent to read unrelated system files, but they do instruct the agent (and local operator) to handle a private key and run code that will transmit signed payment payloads and queries to a remote service — this is within the skill's purpose but materially expands the agent's runtime scope and exposes a sensitive secret if misused.
Install Mechanism
There is no install spec (instruction-only), which is lower install risk. However, the skill bundles runnable Python scripts that will be executed by the user/agent; there is no provenance or homepage beyond a claimed platform URL, and no package signing/audit. The absence of an install step reduces supply-chain risk, but executing included code still runs arbitrary network and crypto operations on the host.
!
Credentials
The scripts require a full EVM private key (evm_private_key), which is a highly sensitive credential appropriate for signing on-chain payments and therefore proportionate to the described pay-per-token flow — but the skill registry fails to declare this required env var or any primary credential. Requiring a raw private key in an environment variable is inherently risky; the documentation recommends a dedicated low-value wallet, but the registry omission and lack of provenance increase the risk of accidental use of high-value keys.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It persists a session id to /tmp/.fortytwo_session and reuses it for subsequent calls (max 90 minutes). This local session file is modest persistence and expected for the described billing/session flow.
What to consider before installing
This skill will sign on-chain payment payloads using a private EVM key and send queries to an external MCP gateway. Before installing or running it: (1) Do NOT use any high-value private key — create and fund a dedicated low-value wallet (as the docs recommend). (2) Confirm the skill registry metadata is corrected to list evm_private_key as a required credential and request provenance/homepage/audit info for the mcp gateway (https://mcp.fortytwo.network). (3) Inspect the included scripts yourself (they are present) or run them in an isolated environment. (4) Prefer using a signing flow that doesn't require placing long-term private keys in environment variables (hardware wallet or local signing service) if possible. (5) If you proceed, run the provided preflight first and verify the exact network, contract address, and gateway endpoints before funding the wallet.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f41prrnwwbx15mgdq8w79t983xg02
175downloads
2stars
6versions
Updated 4w ago
v1.1.0
MIT-0
@inikitin
latest
Download

Fortytwo MCP

Calls Fortytwo Prime — a collective inference system where multiple independent AI agents collaborate on every question. Paid per-token via x402 escrow using USDC on Base or Monad.

Prerequisites

The script signs on-chain payments using evm_private_key environment variable. Never ask the user to paste the key into chat — it must be set via shell:

export evm_private_key="0x..."

For full wallet setup and network details, see setup.md.

Getting Started

Before the first query, or if the script fails with a setup error:

  1. Explain that Prime is available and pricing is pay-per-token
  2. Run preflight: python scripts/preflight.py
  3. If preflight fails, guide user through setup.md
  4. Note which networks preflight reports as READY — pass the correct --network to the query script

Instructions

Querying Fortytwo Prime

Run the full MCP flow via script: Run from the skill directory:

cd /path/to/skills/fortytwo-mcp
python scripts/fortytwo_query.py "your question here" --network base
  • Answer goes to stdout, diagnostics to stderr
  • Session is saved automatically to /tmp/.fortytwo_session

Follow-up queries (session reuse, no new payment)

python scripts/fortytwo_query.py "follow-up question"

Session is auto-detected from the saved file — no need to pass --session-id. Sessions live up to 90 minutes (15 min idle timeout). If the session expired, the script automatically falls through to a new payment.

Use --no-session to force a new payment. Use --session-id <uuid> to override manually.

Streaming (optional)

The bundled script does not support streaming. For incremental output on long queries, use curl with SSE directly — see streaming.md for the request format and parsing algorithm.

Key details

  • Errors are not charged. Failed requests cancel the budget reservation automatically.
  • Sessions are billing-only. Prime does not remember previous questions — include context in each query.
  • Retries are built in. The script retries up to 3 times on transient 400/502 with fresh signatures.
  • Timeout is 600s (10 minutes). On-chain settlement + multi-agent inference takes time. Run the script with a sufficient timeout — do not kill it early or set shorter limits.

How to Present the Answer

  1. Show the full answer — do not summarize unless the user explicitly asks for a summary. The user is paying.
  2. Attribute it — "Here's what Fortytwo Prime returned:"
  3. Add commentary if useful — your perspective after the full answer.
  4. Offer follow-up — "Want me to ask a follow-up?" (reuses session while budget remains).

Troubleshooting

ErrorCauseFix
evm_private_key not setEnv var missingexport evm_private_key="0x..."
missing dependencyPython packagespip install eth-account web3
low USDC balanceWallet emptyTransfer USDC on Base or Monad
Transient 400/502On-chain timingScript auto-retries; if persistent, surface to user
402 on session callBudget exhaustedNew payment needed (script handles this)
409/410Session closedScript falls through to new payment
Invalid signatureWrong EIP-712 domainSee payment.md — query name()/version() on-chain

References

  • setup.md — wallet setup, network config, and pricing. Read when guiding a new user through onboarding.
  • payment.md — EIP-712 signing details and common mistakes. Read when debugging signature errors or building a custom payment flow.
  • session.md — session lifecycle, error codes, and idempotency. Read when troubleshooting 402/409/410 errors on follow-up queries.
  • streaming.md — SSE streaming via progressToken. Read when the user wants incremental output on long queries (requires curl, not the bundled script).

Comments

Loading comments...