ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SkillzMarket

v1.0.5

Search and call monetized AI skills from Skillz Market with automatic USDC payments on Base. Use when the user wants to find paid AI services, call external skills with cryptocurrency payments, or integrate with the Skillz Market ecosystem.

0· 2.5k·2 current·2 all-time
by@hiich
Security Scan
Capability signals
CryptoRequires walletCan make purchasesCan sign transactions
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (marketplace + automated x402 USDC payments) aligns with the code and SKILL.md: the CLI looks up skills, fetches endpoints, and uses an x402 client to sign payments. Required binary (npx) and env var (SKILLZ_PRIVATE_KEY) are expected for this functionality.
Instruction Scope
Runtime instructions and the code only reference SKILLZ_PRIVATE_KEY and SKILLZ_API_URL. They explicitly instruct storing the private key in ~/.openclaw/openclaw.json or via an env var — this is coherent with payment signing but sensitive. The skill exposes a 'direct' command that will POST to arbitrary URLs, which is powerful and worth attention.
Install Mechanism
There is no install spec (instruction-only), which reduces installer risk. However package.json lists dependencies (@x402/*, viem, tsx). The runtime expects npx tsx to execute the TypeScript file; if dependencies are not installed locally, execution may fail or npx may attempt to fetch/run packages dynamically. This is not an explicit remote-download install, but you should confirm dependency provenance before running.
!
Credentials
The skill requires a full wallet private key (SKILLZ_PRIVATE_KEY) as its primary credential. That is proportionate to performing signed on-chain payments, but a private key grants full control of the wallet and is high-risk to store in plaintext. Combined with the 'direct' ability to call arbitrary endpoints and automatic payment signing, this increases the blast radius if the skill (or a called endpoint) is malicious or misused.
Persistence & Privilege
always is false, the skill does not request persistent platform privileges or modify other skills. It uses only its own config mapping and environment variable for credentials.
What to consider before installing
This skill appears to do what it claims (look up paid skills and sign x402 payments), but it requires your wallet private key which is very powerful. Before installing: (1) only use a dedicated wallet with limited funds for this skill; never reuse your main wallet key; (2) prefer setting SKILLZ_PRIVATE_KEY as an environment variable or use a wallet with minimal balance rather than storing the key in ~/.openclaw/openclaw.json; (3) verify the upstream source/repository and the @x402 packages on npm (or use a vetted implementation) — the registry metadata has no homepage; (4) be cautious with the 'direct' command since it will POST to arbitrary URLs and can trigger payments; consider disabling autonomous model invocation or only invoking the skill manually; (5) if you need stronger guarantees, use a remote signing service or hardware wallet instead of exposing a raw private key. If you cannot verify the publisher or are uncomfortable exposing a private key, do not install.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsnpx
EnvSKILLZ_PRIVATE_KEY
Primary envSKILLZ_PRIVATE_KEY
latestvk97ar6xd02tg6qymqnr5vxpry180bs2x
2.5kdownloads
0stars
6versions
Updated 17h ago
v1.0.5
MIT-0
@hiich
latest
Download

Skillz Market

Search and call monetized AI skills with automatic cryptocurrency payments via x402.

Quick Start

List all available skills:

npx tsx {baseDir}/skillz-cli.ts list

Search for skills:

npx tsx {baseDir}/skillz-cli.ts search "echo"

Get skill details:

npx tsx {baseDir}/skillz-cli.ts info "echo-service"

Call a skill (requires SKILLZ_PRIVATE_KEY):

npx tsx {baseDir}/skillz-cli.ts call "echo-service" '{"message":"hello"}'

Commands

  • list [--verified] - List all available skills (optionally filter by verified only)
  • search <query> - Search for skills by keyword
  • info <slug> - Get skill details by slug
  • call <slug> <json> - Call a skill with automatic x402 payment
  • direct <url> <json> - Call any x402-enabled endpoint directly

Configuration

Your wallet private key is required for x402 payments. Set it in OpenClaw config (~/.openclaw/openclaw.json):

{
  "skills": {
    "entries": {
      "skillzmarket": {
        "apiKey": "0xYOUR_PRIVATE_KEY"
      }
    }
  }
}

Note: OpenClaw uses apiKey as the standard config field for skill credentials. This maps to the SKILLZ_PRIVATE_KEY environment variable that the skill uses internally.

Alternatively, set the environment variable directly:

export SKILLZ_PRIVATE_KEY=0x...

Environment Variables

  • SKILLZ_PRIVATE_KEY - Wallet private key for x402 payments
  • SKILLZ_API_URL - API endpoint (default: https://api.skillz.market)

Comments

Loading comments...