ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pay For Service

v0.1.0

Make a paid API request to an x402 endpoint with automatic USDC payment. Use when you or the user want to call a paid API, make an x402 request, use a paid service, or pay for an API call. Use after finding a service with search-for-service.

0· 864·5 current·5 all-time
by@0xrag
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes exactly how to make x402 paid requests using the 'npx awal' CLI, which aligns with the skill name and description. However, the skill metadata declares no required binaries while the runtime instructions assume npx (and thus Node/npm) are available — a mismatch between declared requirements and actual runtime needs.
Instruction Scope
Instructions stay within the stated purpose (call a paid API, check wallet status/balance, set max payment). They do, however, direct the agent to perform real monetary transactions and to send request payloads to arbitrary external endpoints, so callers must verify and trust the target URL and the payloads before invoking.
!
Install Mechanism
There is no install spec, but the skill requires running 'npx awal@latest', which downloads and executes the latest package from the npm registry at runtime. Running npx @latest is a supply-chain risk (remote code execution) and should be treated with caution; the skill does not recommend pinning a vetted version or provide guidance about vetting the package.
Credentials
The skill declares no required environment variables or credentials, which is consistent with an instruction-only helper. In practice it requires an authenticated wallet and USDC balance (handled by the local 'awal' CLI), so sensitive wallet state or keys (outside the skill manifest) will be used — this is proportional to the payment purpose but is sensitive and not explicitly documented in the manifest.
Persistence & Privilege
Skill is user-invocable, not always-enabled, and does not request persistent system-wide privileges or modify other skills. No elevated persistence is requested.
What to consider before installing
This skill is coherent with its stated purpose but exercise caution before using it: 1) Verify and trust the target x402 endpoint before sending requests — the command will perform real USDC payments. 2) Prefer pinning a specific vetted version of 'awal' (for example 'npx awal@1.2.3' or installing a vetted binary) instead of 'awal@latest' to reduce supply-chain risk. 3) Confirm the wallet you will use is intended for these payments and contains only funds you are willing to spend; test with a small max-amount first. 4) Review the 'awal' package and its maintainers (npm page, repo, changelog) before executing remote code. 5) If you need stricter controls, run the command in an isolated environment or with a wallet that has limited funds/permissions. If you want, provide the 'awal' package version you trust or the environment where npx will run so the assessment can be updated.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ee5s9cxmma2k3zq9hf9x1qd80zpq4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments