cpbox-answers
Security checks across malware telemetry and agentic risk
Overview
This instruction-only AI answer skill is not shown to be malicious, but it uses an automatic paid x402 payment flow without clearly documented spending limits or per-request approval.
Before installing or using this skill, confirm that you trust cpbox.io/cppay.finance and the x402 payment helper. Configure a strict spending limit or isolated wallet, require confirmation before paid calls, and do not include sensitive information in prompts unless you are comfortable sending it to the external provider.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured with payment credentials, an agent using this skill could incur pay-per-use charges without a clearly documented confirmation or budget limit.
The skill expects a client to sign payment authorizations and says the payment process is automatic, but the artifact does not show user approval, spending caps, or wallet/payment scoping.
Client signs (EIP-712) -> PAYMENT-SIGNATURE ... With `@springmint/x402-payment` or `x402-sdk-go`, payment is **automatic**.
Use only with a constrained payment wallet or account, require explicit approval before each paid request, and verify the x402 payment requirements and price before signing.
Running the helper can execute code fetched from the npm ecosystem, so trust depends on the external package and its current published version.
The documented workflow runs an external npm package through npx, and the artifact does not pin a version or include that package for review.
npx @springmint/x402-payment \ --url https://www.cpbox.io/api/x402/answers
Pin and verify the payment helper package version, review its provenance, and prefer a locally installed trusted version for payment handling.
Questions and any included context are sent to the cpbox.io service for processing.
The skill sends user prompts to a disclosed third-party API endpoint, which is expected for an AI answer proxy but should be visible to users.
curl -X POST "https://www.cpbox.io/api/x402/answers" ... "messages": [{"role": "user", "content": "How does the James Webb Space Telescope work?"}]Avoid sending sensitive or confidential information unless you trust the provider and its data-handling terms.