Submit to AgentBeat
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill is transparent about its AgentBeat crypto submission flow, but it requires careful control of wallet keys, payments, and reward credentials.
Install only if you are comfortable letting the agent help with crypto-wallet setup, on-chain registration, x402 payments, and AgentBeat reward submission. Use an external signer when possible, keep wallet balances low, review all transaction and payment details, pin any packages you install, and protect ~/.config/agentbeat/credentials.json.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the private key is mishandled, someone could spend wallet funds, sign payment authorizations, or control the agent’s on-chain identity.
The skill may use an EVM private key and local credential file to sign transactions or payment authorizations. This is disclosed and gated by owner approval, but it is still high-impact authority.
env_vars:\n - name: EVM_PRIVATE_KEY\n required: false\n description: Agent wallet private key... Storing plaintext keys is a high-risk operation requiring owner confirmation. Required only when signing transactions.\ncredentials_path: ~/.config/agentbeat/credentials.json
Use an external signer, hardware wallet, OS keychain, or encrypted vault where possible. Keep only minimal funds in the agent wallet and do not store plaintext private keys unless you explicitly accept that risk.
A misconfigured agent could spend USDC on x402 services more freely than intended.
The x402 integration examples can automatically sign payment responses for services. That behavior is central to x402, but it should be bounded with explicit budgets and service allowlists.
Wrap axios — automatically handles PAYMENT-REQUIRED / PAYMENT-SIGNATURE\n...\n// Any 402 response is handled automatically
Require per-service allowlists, maximum payment amounts, daily spend limits, and review of payment requirements before enabling automatic x402 payments.
Installing unpinned packages could pull newer or compromised versions in the future.
The skill provides package installation examples without pinned versions. Package installation is expected for this integration, but users should still verify package provenance.
npm install @x402/axios @x402/evm @x402/core
Pin package versions, use lockfiles, and install from trusted registries before adding payment or wallet-signing code.
Leaking or losing the credentials file could expose wallet metadata or disrupt later reward claims.
The skill persists a reward-claim voucher and related wallet/submission metadata in a local file. The file is part of the expected workflow, but it contains sensitive operational state.
Save the `voucher` immediately. It cannot be retrieved later and is required to claim rewards. Write it to `~/.config/agentbeat/credentials.json`.
Protect the credentials file with strict permissions, do not commit it to source control, back it up securely, and avoid storing secrets in it unless explicitly approved.