Proxy Gateway X402

v0.1.6

Proxy Gateway X402 enables unrestricted pay-per-use internet access via the x402 protocol with direct USDC payments on Base L2, requiring no custody or KYC.

⭐ 0· 124·1 current·1 all-time

by@kehongpeng

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for kehongpeng/proxy-gateway-x402.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Proxy Gateway X402" (kehongpeng/proxy-gateway-x402) from ClawHub.
Skill page: https://clawhub.ai/kehongpeng/proxy-gateway-x402
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install proxy-gateway-x402

ClawHub CLI

Package manager switcher

npx clawhub@latest install proxy-gateway-x402

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The name, description, SKILL.md, and included code are consistent in implementing a pay-per-use HTTP proxy that verifies/sends USDC on-chain. However, metadata claims 'instruction-only' (no required env vars) while the code requires runtime configuration (DEVELOPER_WALLET, ADMIN_TOKEN, RPC_URL, etc.). README also references a hosted custodial endpoint and different trust models, creating mixed signals about custody/trust. Overall capability matches purpose but the packaging/metadata is inconsistent.

Instruction Scope

SKILL.md explicitly instructs users to set USER_EVM_PRIVATE_KEY in their environment to enable auto-pay; the code implements an auto-pay flow that signs and submits USDC transfers using that key. The skill also directs traffic through hosted endpoints (e.g., proxy-gateway-x402.easky.cn / proxy.easky.cn) and explicitly warns that all request data transits the proxy. Asking users (or an agent) to provide a raw private key and to route arbitrary requests through an external host expands scope and risk beyond a simple helper skill.

ℹ

Install Mechanism

There is no install spec (instruction-only), which is lower risk in isolation, but the package contains a full application (19+ code files, requirements.txt, Docker instructions). That mismatch (no declared install but full source present) is unusual and should be clarified: either the skill is truly instruction-only (in which case shipping server code is misleading) or the code is intended to be deployed locally/dockerized (which requires an install step).

Credentials

Metadata shows 'required env vars: none' but the SKILL.md and code require several sensitive environment variables (USER_EVM_PRIVATE_KEY for auto-pay, DEVELOPER_WALLET, ADMIN_TOKEN, RPC_URL, REDIS creds, etc.). Requesting a user's private key as an environment variable is high-risk even if the skill recommends a dedicated wallet. The number and sensitivity of vars is disproportional to what's declared in the registry metadata.

Persistence & Privilege

The skill is not set always:true, and model invocation is allowed (default). Because the middleware supports auto-pay by reading USER_EVM_PRIVATE_KEY, autonomous invocation of the skill (or an agent using it) could cause on‑chain payments without an interactive confirmation. The combination of autonomous invocation + private-key-based auto-pay increases the blast radius and is a significant risk if a private key is present in the environment.

What to consider before installing

Key things to consider before installing or using this skill: - Metadata vs. reality: the registry metadata claims no env vars and 'instruction-only', yet the package contains a full server implementation that expects multiple environment variables (DEVELOPER_WALLET, ADMIN_TOKEN, RPC_URL, REDIS settings) and the SKILL.md asks you to set USER_EVM_PRIVATE_KEY for auto-pay. Ask the publisher to clarify required configuration and why metadata omits these. - Do NOT put your main private key in an environment variable: the skill explicitly instructs to set USER_EVM_PRIVATE_KEY to enable auto-pay. This gives code direct ability to sign and send transactions. If you decide to use auto-pay, only use a dedicated wallet with minimal funds, or better: avoid auto-pay and use manual payments. Prefer hardware wallet or signing through a separate, secure signing service rather than exporting a raw private key to the environment. - Hosted endpoints are untrusted by default: SKILL.md/README reference hosted proxies (proxy-gateway-x402.easky.cn, proxy.easky.cn) of unknown origin. All proxied request data (URLs, headers, bodies, responses) will be visible to the operator — do not proxy API keys, passwords, private endpoints, or sensitive data through a hosted instance. Self-host if you need privacy. - Verify developer recipient address and code provenance: the DEVELOPER_WALLET controls payment receipts. If you plan to pay, confirm the wallet address and the publisher identity. The skill's Source/Homepage are unknown; prefer code that is published from a traceable repository and signed releases. - Self-hosting recommended: if you need the functionality, deploy the included server in an isolated environment (container), set RPC and wallet config to your own endpoints/wallets, and audit the code (particularly auto-pay and transaction validation) before use. - Minimize privileges: if you test, set NETWORK=testnet (or base-sepolia), use a test RPC_URL, and set ADMIN_TOKEN / REDIS credentials appropriately. Inspect and optionally remove auto-pay capability if you cannot securely sign transactions. What additional info would change the assessment: - A verified publisher identity, an authoritative homepage/release URL, and matching registry metadata that declares required env vars and explains the hosted endpoints would raise confidence. - Removal of the auto-pay-from-env pattern (or replacing it with a secure external signing flow/hardware-wallet integration) would materially reduce risk and could change the verdict toward benign. Given the sensitive environment interaction (private key) and metadata/instruction mismatches, treat this skill as suspicious until the developer clarifies packaging, hosting, and how signing is performed securely.

Like a lobster shell, security has layers — review code before you run it.

latestvk978xn0rmy95jq8qwexfnbsm1x83jym0

124downloads

0stars

7versions

Updated 1mo ago

v0.1.6

MIT-0

Proxy Gateway x402

🚀 Agent-to-Agent Commerce Proxy — Unrestricted internet access with pay-per-use via x402 protocol. No custody, no KYC, direct USDC payments.

⚡ Key Features

Feature	Benefit
💰 Pay-Per-Use	Only pay when you use, no subscriptions
🔗 x402 Protocol	Agent-to-Agent commerce, automatic payments
🏦 No Custody	Funds go directly to developer, no middleman
🔓 No KYC	Crypto-native, no identity verification
⚡ Instant	Sub-second confirmation on Base L2
🛡️ Self-Host	Full source code, deploy your own

💰 Pricing

Item	Details
Price	0.001 USDC per request
Token	USDC
Network	Base (Ethereum L2)
Gas	~$0.0001 per transaction

🚀 Quick Start

For Users

1. Install the Skill

clawhub install proxy-gateway-x402

2. Set Up Auto-Pay (Recommended)

# Set your private key for automatic payments
export USER_EVM_PRIVATE_KEY=0xYourPrivateKey

# ⚠️ Security: Use a dedicated wallet with limited funds

3. Use the Proxy

import requests
import json

# Method 1: Auto-pay (if USER_EVM_PRIVATE_KEY is set)
response = requests.post(
    "https://proxy-gateway-x402.easky.cn/api/v1/fetch",
    json={
        "url": "https://api.github.com/users/github",
        "method": "GET"
    }
)
print(response.json()["content"])

# Method 2: Manual payment
# First call returns 402 Payment Required
response = requests.post(
    "https://proxy-gateway-x402.easky.cn/api/v1/fetch",
    json={"url": "https://example.com/api", "method": "GET"}
)
# Response: {"error": "Payment Required", "x402": {...}}

# Pay 0.001 USDC to the specified address
# Then retry with payment proof
response = requests.post(
    "https://proxy-gateway-x402.easky.cn/api/v1/fetch",
    headers={"X-Payment-Response": json.dumps({"tx_hash": "0x..."})},
    json={"url": "https://example.com/api", "method": "GET"}
)

🔧 For Developers

Deploy Your Own Instance

1. Clone & Install

git clone https://github.com/yourname/proxy-gateway-x402.git
cd proxy-gateway-x402

python -m venv venv
source venv/bin/activate

pip install -r requirements.txt

2. Configure Environment

cp .env.example .env
# Edit .env with your settings:
# - DEVELOPER_WALLET: Your wallet to receive payments
# - PRICE_PER_REQUEST: Set your price (default: 0.001)
# - X402_CHAIN: base or base-sepolia (for testing)

3. Run

# Development
uvicorn app.main:app --reload --port 8080

# Production
uvicorn app.main:app --host 0.0.0.0 --port 8080

Docker Deployment

docker build -t proxy-gateway-x402 .

docker run -d \
  -p 8080:8080 \
  -e DEVELOPER_WALLET=0xYourWallet \
  -e PRICE_PER_REQUEST=0.001 \
  proxy-gateway-x402

📖 API Reference

POST /api/v1/fetch

Fetch any URL through the proxy.

Headers:

X-Payment-Response (optional): Payment proof JSON {"tx_hash": "0x..."}

Request Body:

{
  "url": "https://api.example.com/data",
  "method": "GET",
  "headers": {"Authorization": "Bearer token"},
  "body": null,
  "region": "us"
}

Response (Success):

{
  "success": true,
  "content": "...",
  "status_code": 200,
  "payment": {
    "verified": true,
    "tx_hash": "0x...",
    "amount": "0.001",
    "token": "USDC"
  }
}

Response (402 Payment Required):

{
  "success": false,
  "error": "Payment Required",
  "x402": {
    "version": "0.1.0",
    "scheme": "exact",
    "network": "base",
    "required": {
      "amount": "0.001",
      "token": "USDC",
      "recipient": "0x..."
    }
  }
}

GET /api/v1/price

Query current pricing.

Response:

{
  "price": "0.001",
  "token": "USDC",
  "network": "base",
  "recipient": "0x..."
}

🛡️ Security

For Users

⚠️ Private Key Safety

Use a hardware wallet or dedicated hot wallet
Never use your main wallet for auto-pay
Set daily spending limits on your wallet
Monitor transactions regularly

⚠️ Payment Verification

All payments are verified on-chain
Transactions cannot be forged or replayed
Payment proofs are cached for 5 minutes

For Developers

⚠️ Smart Contract Risks

USDC contract is standard ERC-20
No custom smart contracts in this implementation
All verification happens on-chain

⚠️ Disclaimer

This is experimental software. Use at your own risk.

No refunds for failed requests
Network fees are paid by the user
Developer receives payments directly, no escrow
This is NOT financial advice

🔗 Links

📄 License

MIT License - See LICENSE

Built with ❤️ for the Agent Commerce ecosystem.

Comments

Loading comments...