ClawHub
Back to skill
v1.0.0

cpbox-web-search

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:05 AM.

Analysis

This is a coherent web-search skill, but it uses a local wallet/payment-signing flow for pay-per-use searches without clear spend or approval limits in the provided artifacts.

GuidanceReview this skill carefully before installing. It appears purpose-aligned for web search, but you should only use it if you understand the x402 payment setup, can control or cap wallet spending, and are comfortable sending search queries and optional location data to the listed external providers.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
npx @springmint/x402-payment \
  --url https://www.cpbox.io/api/x402/web-search \
  --method GET

The documented workflow uses an external npm package through npx. This is purpose-aligned for x402 payment handling, but it is not pinned in the skill artifacts.

User impactFirst use may run code obtained from the npm ecosystem, so the helper package becomes part of the trust chain.
RecommendationInstall or pin a reviewed version of the x402 payment helper and use the official setup documentation from a trusted source.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceMediumStatusConcern
SKILL.md
Paid Web Search proxy via **x402 pay-per-use** ... **Client signs** the payment requirements (EIP-712) -> Produces a `PAYMENT-SIGNATURE` ... the flow is handled **automatically**.

The skill requires wallet-backed payment signing for use, and the provided instructions do not show clear spend limits, displayed pricing, or required user confirmation before automatic signing.

User impactUsing the skill could cause wallet-authorized pay-per-use charges, and repeated or autonomous searches could spend funds if the x402 setup allows it.
RecommendationBefore installing or using it, verify the x402 payment configuration, set wallet spending limits if possible, require explicit approval for paid requests, and confirm the cost of each search.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
API Provider | https://www.cpbox.io ... Facilitator | https://www.cppay.finance ... `X-Loc-Lat` ... `X-Loc-Long` ... downstream services resolve the location directly from coordinates

The skill discloses external provider/facilitator services and optional precise location headers. This is expected for a web-search service but means user queries and optional location data may be sent outside the local environment.

User impactSensitive search terms or precise location information could be shared with the service provider and related downstream services if included in requests.
RecommendationAvoid sending sensitive queries or location headers unless needed, and review the provider’s privacy and data-use terms.