ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ordiscan

v0.0.2

Inscribe content on Bitcoin via the Ordiscan API. Pays per-request with USDC on Base using the x402 protocol.

0· 557·0 current·0 all-time
by@t4t5
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description (Ordiscan x402 payments) matches what it requires: a signer (X402_PRIVATE_KEY or wallet file) and node or an alternative wallet tool (awal). The included signing script implements EIP-3009-style TransferWithAuthorization for USDC on Base, which is necessary to produce the Payment-Signature header described in SKILL.md.
Instruction Scope
SKILL.md instructs the agent to read the user's X402_PRIVATE_KEY or, if unset, to extract a private key from ~/.evm-wallet.json (explicitly declared). Those actions are sensitive but directly related to signing payments. The instructions also run npm install to pull 'viem' and optionally call 'awal' if present; they do not reference unrelated system files or external endpoints beyond the Ordiscan API and an RPC URL.
Install Mechanism
This is instruction-only with a small included script and a package.json depending on 'viem'. There is no arbitrary URL download or extract step; installing dependencies is via npm (expected for a node-based signer).
Credentials
The skill requires a single sensitive secret (X402_PRIVATE_KEY) and optionally reads ~/.evm-wallet.json — both are proportional to the described signing purpose. One minor mismatch: the script also honors BASE_RPC_URL (optional) but SKILL.md/metadata do not list it as a declared env var; this is low-risk but should be documented. No unrelated credentials are requested.
Persistence & Privilege
The skill does not request persistent/always-on inclusion and does not attempt to modify other skills or system-wide configuration. It simply provides a signing helper that runs on demand.
Assessment
This skill legitimately needs a private key so it can sign x402 USDC payment authorizations — that is sensitive: only install/use it if you trust the skill source. Before using: (1) prefer an ephemeral or low-value wallet/key (do not reuse a high-value private key); (2) verify the recipient/payTo address printed by the signer before approving (the script logs the 'To' address and amount to stderr); (3) be aware that signing an ERC-3009 TransferWithAuthorization authorizes the payee to claim the stated USDC amount, so double-check the Payment-Required header content; (4) note the script will contact a Base RPC (BASE_RPC_URL defaults to https://mainnet.base.org) — if you want to control RPC trust, set BASE_RPC_URL to an RPC you trust; (5) confirm ~/.evm-wallet.json (if used) comes from a trusted wallet skill. If any of these are unacceptable, do not provide a private key to this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d4p3f1sz2k3ac8wbh1w9smn81qdv7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🟠 Clawdis
Any binawal, node
EnvX402_PRIVATE_KEY
Config~/.evm-wallet.json
Primary envX402_PRIVATE_KEY

Comments