Skillv1.0.0

ClawScan security

Alpha Finder (x402) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 8:33 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill asks users to provide a private key and then dynamically downloads and runs an unvetted npm package (via npx) but the registry metadata claims no credentials or install requirements — this mismatch and the runtime fetch of remote code are concerning.
Guidance: This skill is suspicious because it asks for a sensitive private key (not declared in registry metadata) and then uses npx to download and run a third‑party npm package at runtime. npx -y runs unvetted code which could exfiltrate any environment variables or files it has access to. Before using this skill: 1) Do not store your main wallet private key in plaintext; use an ephemeral/key with minimal funds and permissions if you must test. 2) Inspect the npm package @itzannetos/x402-tools-claude source (on npm/GitHub) and review what it does with X402_PRIVATE_KEY. 3) Require the skill owner to declare required env vars and binaries (jq, npx) in metadata and to provide a vetted install mechanism or vendored code instead of runtime npx. 4) Prefer running this script in an isolated environment (air‑gapped VM or container) if you must try it. 5) If you cannot verify the npm package and the author's identity, avoid providing any private key or wallet with real funds. Additional information that would change the assessment: an explicit, auditable install artifact (no runtime npx), published source code for @itzannetos/x402-tools-claude that you or a reviewer can inspect, or removal of the need to provide a private key.

Review Dimensions

Purpose & Capability: concernThe description (market oracle, $0.03 per request via x402) implies on‑chain payments and therefore a private key is plausible — but the registry metadata lists no required env vars or credentials. The SKILL.md and the script both require an X402 private key and discuss Base/USDC payments; that credential requirement is missing from the declared metadata, which is an incoherence.
Instruction Scope: concernThe SKILL.md instructs the user to place a raw private key in an env var or plaintext config file (~/.x402-config.json or other locations). The included script reads multiple filesystem locations (./, $HOME, $PWD) for the config and exports X402_PRIVATE_KEY into the environment before invoking remote code. The instructions therefore encourage storing and exposing a private key in widely accessible places and do not constrain or limit where the secret may flow.
Install Mechanism: concernThere is no install spec, but the runtime script calls 'npx -y @itzannetos/x402-tools-claude ...', which will fetch and execute arbitrary code from the npm registry at runtime. That dynamic download/execute behavior is high risk and is not declared in the registry metadata. The script also depends on tools (npx/npm, jq) that are not declared as required binaries.
Credentials: concernThe skill effectively requires a sensitive credential (X402 private key) and suggests storing it in plaintext in the home directory or passing it via env var; yet the registry metadata lists no required env variables. Passing a private key to unvetted remote code (via env) is disproportionate. Storing a private key in common locations (~/.x402-config.json, ./) increases risk of accidental exposure or exfiltration by other processes.
Persistence & Privilege: noteThe skill does not request 'always: true' and does not declare persistent installation. However, it recommends writing a persistent config file (~/.x402-config.json) which creates long-lived secret material on disk. The remote npx invocation could also install packages into npm cache but the skill itself does not request system-wide persistence or modify other skill configs.