Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
x402-wurk
v1.0.0Hire humans for microjobs (feedback, opinions, small tasks) and buy social growth services — all paid with USDC via x402 on Solana or Base.
⭐ 0· 938·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (hire humans, buy social-growth services paid with USDC via x402 on Solana/Base) align with the instructions: endpoints, payment flow, and example client usage all implement that functionality. The npm packages referenced (@x402/*) and the endpoints at wurkapi.fun are coherent with the described purpose.
Instruction Scope
SKILL.md instructs network calls to https://wurkapi.fun for all paid endpoints and includes copy-paste install/use examples that: curl files from wurkapi.fun into ~/.openclaw/skills, run npm install for @x402 packages, generate wallets and print private keys to stdout, and sign payments. The instructions do not ask for unrelated system data, but they do direct you (or an agent) to fetch and run remote artifacts and to handle private keys — actions that broaden the runtime scope and carry risk if executed automatically.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md recommends: (a) curl downloads from https://wurkapi.fun into ~/.openclaw/skills and (b) npm install of scoped packages (@x402/*). Downloading and writing files from a third-party domain and installing unreviewed npm packages are higher-risk operations because they pull code from an external host that is not a well-known release portal. The skill’s package.json/repository points to the same domain rather than a tracked GitHub repo.
Credentials
The skill declares no required environment variables or credentials, and the actions described (create a wallet, request USDC, sign payments) are consistent with a payments client. It does not request unrelated cloud credentials or host tokens. However, it expects the user/agent to generate and use private keys — which must be handled carefully (use a throwaway/dedicated wallet and never paste secret keys into untrusted contexts).
Persistence & Privilege
Flags show always:false and no requested config-paths or system modifications. The SKILL.md suggests adding files to ~/.openclaw/skills only if you run the provided curl commands; the skill itself does not declare forced persistence or modification of other skills.
What to consider before installing
This skill appears to do what it says (paid microjobs via x402), but before installing or running it you should: (1) verify the operator/domain (wurkapi.fun) and prefer packages hosted on well-known repositories; (2) review the source code of any @x402 npm packages and the server API if possible — do not blindly run npm install; (3) avoid exposing your primary private keys — use a new, funded-with-minimum USDC wallet for testing and never paste full private keys into an agent or logs; (4) be aware you will be interacting with paid endpoints that require signing payments (financial risk) and that buying social interactions may violate platform policies; (5) if you want to proceed, manually inspect downloaded files before executing them and consider running any clients inside an isolated environment. Because the skill instructs downloading and installing remote artifacts but provides no registry install spec or public audited repo, treat it as higher-risk until you can audit the code/server.Like a lobster shell, security has layers — review code before you run it.
latestvk977c9yfjhbawmcdqe0k0qr5x180zrfq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔨 Clawdis