cpbox-llm-context
PassAudited by VirusTotal on May 9, 2026.
Overview
Type: OpenClaw Skill Name: cpbox-llm-context Version: 1.0.0 The skill bundle contains documentation and instructions for an AI agent to interface with the cpbox.io LLM Context API, a paid RAG/grounding service utilizing the x402 payment protocol. The SKILL.md file outlines standard API usage, including parameters for search queries, location-based filtering via headers (X-Loc-Lat, X-Loc-Long), and custom ranking rules (Goggles). No malicious code, data exfiltration patterns, or harmful prompt injections were identified; the functionality is transparently documented and aligned with its stated purpose as a search tool for AI agents.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured, an agent could make paid requests and sign payment messages, potentially spending funds beyond what the user expected.
This shows the skill needs payment-signing authority and can automatically settle paid requests, but the visible artifact does not define cost, spending limits, approval boundaries, or payment-scope constraints.
Paid LLM Context proxy via **x402 pay-per-use** ... Client signs (EIP-712) -> `PAYMENT-SIGNATURE` ... Server settles ... payment is **automatic**.
Verify the x402 setup, exact price, asset, facilitator, and recipient before enabling; use a limited wallet or spending cap and require explicit approval for paid calls.
A changed or compromised payment helper package could affect how paid requests are made.
The documented helper is fetched/executed through npx without a visible version pin. This is purpose-aligned setup, but it is important because it sits in the payment-signing workflow.
npx @springmint/x402-payment \\ --url "https://www.cpbox.io/api/x402/llm-context?q=rust+ownership&maximum_number_of_tokens=4096"
Install payment tooling from a trusted source, pin versions where possible, and review the package before connecting a funded wallet.
Search terms and optional location data may be shared with the external provider/facilitator.
The skill sends queries to disclosed external services and supports optional location headers, including precise latitude and longitude.
| **API Provider** | https://www.cpbox.io | ... | **Facilitator** | https://www.cppay.finance | ... `X-Loc-Lat` ... `X-Loc-Long` ... `X-Loc-City`
Avoid sending sensitive queries or precise location unless needed, and review the provider’s privacy and retention practices.
A model could be influenced by instructions embedded in retrieved web pages if the calling agent does not treat them as data.
The skill intentionally returns raw web content for LLM grounding. That content is untrusted and could contain prompt-injection-style instructions if the agent treats it as authoritative.
LLM Context extracts the actual page content—text chunks, tables, code blocks, and structured data—so your LLM or AI agent can reason over it directly.
Treat returned web content as untrusted evidence, not instructions, and keep system/developer/user instructions higher priority than retrieved text.