cpbox-llm-context

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a coherent paid web-grounding API skill, but it can trigger automatic x402 payments without clearly declaring payment credentials, spending limits, or per-call approval.

Before installing or using this skill, confirm how x402 payment is configured, use a capped or low-balance payment account, require confirmation for paid calls, and avoid sending private queries or precise location data unless you trust the provider.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse

Medium

What this means

If the payment setup is configured, agent use of this skill could spend funds automatically when making API requests.

Why it was flagged

This shows the skill may use payment-signing authority and automatic pay-per-use settlement, but the provided artifacts do not define spending limits, per-call approval, or credential boundaries.

Skill content

Client signs (EIP-712) -> PAYMENT-SIGNATURE ... With `@springmint/x402-payment` or `x402-sdk-go`, payment is **automatic**.

Recommendation

Use a dedicated low-balance or capped payment wallet/account, verify x402 pricing and limits, and require explicit user approval before paid calls.

#ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

Running the helper may execute third-party package code and its behavior could change if an unpinned latest version is used.

Why it was flagged

The skill relies on external setup documentation and an unpinned npm-executed helper that are not included in the provided artifact set; this is purpose-aligned but should be verified before running.

Skill content

Prerequisites: This skill requires x402-payment. Complete the [setup steps](../../README.md#prerequisites) before first use. ... `npx @springmint/x402-payment`

Recommendation

Inspect the referenced setup instructions, confirm the package source is trusted, and pin a known-good version where possible.

#ASI07: Insecure Inter-Agent Communication

Low

What this means

The provider or facilitator may receive search terms, request metadata, payment metadata, and any optional location information included in requests.

Why it was flagged

The skill sends search requests to external provider and payment facilitator domains, and optionally supports location headers; this is expected for the service but can expose sensitive query or location data.

Skill content

API Provider | https://www.cpbox.io ... Facilitator | https://www.cppay.finance ... `X-Loc-Lat`, `X-Loc-Long`, `X-Loc-City`

Recommendation

Avoid submitting confidential queries or precise location data unless necessary, and review the provider's privacy and payment terms.