ChaosChain ACE (Phase 0)
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is clearly about bounded autonomous API payments and includes sensible policy limits, but users should treat wallet-funded session keys and external SDK installation as sensitive.
This skill appears coherent and not malicious from the provided artifact. Before using it, set very low spend limits, short TTLs, and narrow allowed categories; verify every endpoint and price; and pin/review the external SDK because the actual payment code is not included in the skill artifact.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured, the agent could spend wallet funds on x402-gated API calls within the policy you set.
The skill is designed to let an agent make API payments. This is disclosed and bounded, but payment actions are high-impact and should remain under clear policy limits.
Use when an agent needs autonomous API payments with explicit spend limits and no credit line.
Use small per-transaction and daily limits, require visible payment explanations, and review the endpoint, price, and reason before allowing payment.
A misconfigured session key or overly broad policy could allow unintended spending from the funded wallet.
Wallet-funded session keys represent delegated financial authority. The skill describes bounds, but users should understand that these keys can authorize spending.
Use ACE Phase 0 to pay x402-gated APIs with bounded wallet-funded session keys.
Fund session keys minimally, set strict TTL and spending caps, limit categories to the needed use case, and revoke keys when finished.
Runtime payment behavior depends on external package code that is not included in this artifact review.
The instruction-only skill depends on external npm packages for runtime behavior, and the example uses version ranges rather than exact pinned versions.
npm install @chaoschain/ace-session-key-sdk@0.1.x ethers@6
Pin exact package versions, verify the package source and integrity, and review the SDK before using it with wallet-funded payment authority.