Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
x402 Singularity Layer
v1.10.6x402-layer helps agents pay for APIs with USDC, deploy monetized endpoints, manage credits/webhooks/marketplace listings, and handle wallet-first ERC-8004 re...
⭐ 3· 2.4k·5 current·7 all-time
byIvaavi.eth@ivaavimusic
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (x402 payments, monetized endpoints, ERC-8004, webhooks, marketplace) match the included scripts and docs: payment signing, webhook management, marketplace discovery, agent registration, and support helpers are all implemented. Required binaries (python3, node) and optional OWS/AWAL CLIs are expected for the described functionality. No unrelated cloud credentials or surprising subsystems are requested.
Instruction Scope
SKILL.md and the scripts instruct network calls to api.x402layer.cc and studio.x402layer.cc, local invocation of AWAL/OWS, and use of environment variables for credentialed flows. The skill emphasizes a no-secret read-only path and only using credentials for signing/owner actions — this aligns with the code. Note: many scripts will read sensitive env vars (PRIVATE_KEY, SOLANA_SECRET_KEY, X_API_KEY/API_KEY, WALLET_ADDRESS, OWS_WALLET, SUPPORT_AGENT_TOKEN, RPC URLs). Ensure the agent only asks for these when the user explicitly requests credentialed operations.
Install Mechanism
There is no automated install spec in registry metadata (instruction-only install). SKILL.md directs the user to pip install -r requirements.txt; requirements are common libraries (web3, eth-account, requests, pyjwt, cryptography, solders). No downloads from untrusted URLs or archive extraction are present in the manifest. Installing Python deps is standard but will pull packages from PyPI.
Credentials
The registry declares no required env vars, but the code expects many optional and sensitive variables for credentialed flows (PRIVATE_KEY, WALLET_ADDRESS, SOLANA_SECRET_KEY, X_API_KEY/API_KEY, OWS_WALLET, OWS_BIN, SUPPORT_AGENT_TOKEN, and RPC URL overrides). These are proportionate to wallet signing, webhook configuration, and control-plane actions, but they are high-value secrets — only provide them if you intend to perform owner-scoped or on-chain operations. The skill follows a principle of allowing discovery without secrets.
Persistence & Privilege
always:false and no claim of modifying other skills or system-wide configs. Default autonomous invocation is allowed (platform default) but not elevated by 'always' or other persistent privileges. The skill does call local binaries when configured (AWAL/OWS) which requires those binaries to be installed and on PATH or via env overrides.
Assessment
This skill appears to be what it claims: a Web3 payment/monetization toolkit. Before installing or running it: 1) Only provide secrets (private keys, SOLANA_SECRET_KEY, API keys, SUPPORT_AGENT_TOKEN, RPC URLs) when you explicitly choose a runbook that needs signing or owner-level actions — otherwise stay on the read-only discovery flows. 2) Prefer ephemeral or wallet-backed flows (AWAL, OWS, API keys with limited scope) instead of long-lived mainnet private keys. 3) Review webhook signing secrets and rotate them if you paste them into shared systems. 4) Run pip install -r requirements.txt in an isolated virtualenv and audit any third-party dependencies if you have policy constraints. 5) If you want to prevent accidental on-chain signing or token leakage, restrict agent invocation or deny credential prompts unless you explicitly approve them. If you want additional assurance, provide the full truncated contents of any remaining truncated files for review (some files were omitted in the input).scripts/xmtp_support.mjs:11
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
ERC8004vk97br5ha1tp2fxe11cb6pvxrhh84cm1fERC8004 Registrationvk9798q88t6w7hha5fcdd7ndsss83edvqERC8004 Reputation Registeryvk9798q88t6w7hha5fcdd7ndsss83edvqSGLvk97br5ha1tp2fxe11cb6pvxrhh84cm1fStripevk9798q88t6w7hha5fcdd7ndsss83edvqagenticvk97ehkakrm0m0jtxh7grkn6pdx81r5hsagentic accessvk97br5ha1tp2fxe11cb6pvxrhh84cm1fagentic webhooksvk97br5ha1tp2fxe11cb6pvxrhh84cm1fapivk97br5ha1tp2fxe11cb6pvxrhh84cm1fawalvk972srbz8xc9wchn126wptbnrs814zqvbasevk97br5ha1tp2fxe11cb6pvxrhh84cm1fcoinbasevk972srbz8xc9wchn126wptbnrs814zqvcreditsvk97br5ha1tp2fxe11cb6pvxrhh84cm1fdispute resolutionvk97br5ha1tp2fxe11cb6pvxrhh84cm1fhuman verificationvk97br5ha1tp2fxe11cb6pvxrhh84cm1flatestvk97br5ha1tp2fxe11cb6pvxrhh84cm1fmarketplacevk97br5ha1tp2fxe11cb6pvxrhh84cm1fmonetizationvk97br5ha1tp2fxe11cb6pvxrhh84cm1fowsvk97br5ha1tp2fxe11cb6pvxrhh84cm1fpaymentsvk97br5ha1tp2fxe11cb6pvxrhh84cm1fsolanavk97br5ha1tp2fxe11cb6pvxrhh84cm1fstripevk97br5ha1tp2fxe11cb6pvxrhh84cm1fusdcvk97br5ha1tp2fxe11cb6pvxrhh84cm1fweb3vk97br5ha1tp2fxe11cb6pvxrhh84cm1fworld agentkitvk97br5ha1tp2fxe11cb6pvxrhh84cm1fworld idvk97br5ha1tp2fxe11cb6pvxrhh84cm1fx402vk97br5ha1tp2fxe11cb6pvxrhh84cm1fx402 Bazaarvk97br5ha1tp2fxe11cb6pvxrhh84cm1fx402 Protocolvk97br5ha1tp2fxe11cb6pvxrhh84cm1fx402 Singularity Layervk97br5ha1tp2fxe11cb6pvxrhh84cm1fx402scan registrationvk9798q88t6w7hha5fcdd7ndsss83edvqxmtpvk97br5ha1tp2fxe11cb6pvxrhh84cm1f
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⚡ Clawdis
OSLinux · macOS
Binspython3, node