Alpha Finder (x402)
WarnAudited by ClawScan on May 10, 2026.
Overview
Alpha Finder has a coherent paid market-research purpose, but it requires a wallet private key and runs an unpinned external npm package to make paid requests.
Treat this as a paid wallet-integrated tool. Before installing, verify the npm package source, use only a dedicated low-balance x402 wallet, avoid storing a main private key in plaintext, and be aware that each invocation can spend USDC.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill can spend USDC from the configured wallet.
Each use of the tool is intended to trigger a paid x402 request. This is disclosed and purpose-aligned, but users should notice that repeated or autonomous invocations can incur charges.
Costs $0.03 USDC per request (Base network)
Use the skill only when you intend to pay for a request, and prefer a dedicated low-balance wallet with clear spending limits.
If the key is exposed or misused by the runtime tool, the wallet could be used for payments or other signing actions beyond the intended market query.
The skill asks the user to provide a raw wallet private key, which is high-impact signing and spending authority, not just a narrow API token.
The private key must be available via one of these methods: ... export X402_PRIVATE_KEY="0x..." ... "private_key": "0x1234567890abcdef..."
Do not use a main wallet key. Use a dedicated x402 wallet with minimal USDC, restrict file permissions on any config file, and require explicit approval or spending caps for paid calls.
A changed or compromised npm package could run unreviewed code with access to the wallet private key and paid request flow.
The reviewed script downloads/runs an npm package without a pinned version or lockfile, and that external package executes in the same environment that contains X402_PRIVATE_KEY.
npx -y @itzannetos/x402-tools-claude alpha-finder "$QUERY"
Pin the package version or digest, provide a reviewed lockfile or vendored code, avoid silent npx -y execution, and document the package provenance before users provide wallet credentials.