ClawHub

Find People (x402)

Open Source Intelligence (OSINT) tool for researching individuals - professional backgrounds, career timelines, due diligence, competitive intelligence, and investor research. Use when users need to research people, verify credentials, or gather professional information. Costs $0.15 USDC per request via x402 protocol on Base network.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
5 · 2k · 0 current installs · 0 all-time installs
by@TzannetosGiannis
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to be an OSINT 'find people' tool that charges via the x402 protocol, which plausibly requires a payment key — but the registry metadata lists no required environment variables or credentials. The included script and documentation in SKILL.md explicitly require an X402 private key and call out Base/USDC payments. Also the script requires jq and Node/npm (npx) at runtime but the metadata declares no required binaries. These mismatches indicate the declared metadata is incomplete or misleading.
!
Instruction Scope
SKILL.md instructs the user to place a private key in an environment variable or in a config file in the home/current directory. The script reads config files from multiple locations ($HOME, PWD) and exports X402_PRIVATE_KEY, then runs 'npx -y @itzannetos/x402-tools-claude find-people "$QUERY"'. The script itself does not transmit the key, but invoking an npm package fetched at runtime gives that package the opportunity to access and exfiltrate the private key or other data. The instructions also recommend creating a plaintext file in the home directory for a private key — a risky practice.
!
Install Mechanism
There is no install spec, but the script uses 'npx -y' which will fetch and execute @itzannetos/x402-tools-claude from the npm registry at runtime. This is a moderate-to-high risk action because it runs unverified remote code. The npm package author/publisher is not documented in the skill metadata or homepage, and the package name does not obviously match the skill owner. The script also relies on jq and Node/npm, but those binaries are not declared in metadata.
!
Credentials
The skill requires a sensitive X402 private key (used to pay USDC on Base), but the registry metadata lists no required env vars or primary credential. Asking users to store a blockchain private key as plaintext in ~/.x402-config.json or an env var is disproportionate without strong safeguards. The skill reads config files in multiple locations, which can increase accidental exposure if run in shared contexts. No justification is provided for why a raw private key is necessary versus a safer payment/auth pattern.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or system settings. Autonomous invocation is allowed (platform default) — note that if an agent has access to the private key and can autonomously invoke the skill, the risk increases, but that is a platform-level consideration rather than a direct misconfiguration of this skill.
What to consider before installing
What to consider before installing/using this skill: - Do not upload or paste your main blockchain private key unless you fully trust the code and publisher. The skill instructs you to store the private key in an env var or plaintext file (~/.x402-config.json), which is high-risk. - The script runs 'npx -y @itzannetos/x402-tools-claude', which downloads and executes code from npm at runtime. That package could read and exfiltrate any local files or keys available to the process. - Metadata is inconsistent: the registry claims no required credentials/binaries, but the README/script require a private key, jq, and Node/npm. This mismatch is a red flag. - If you must test: use an isolated environment (VM/container) and a throwaway wallet with minimal funds/USDC; audit the npm package source (and its maintainer) before running; ensure jq and Node versions are safe; prefer running the npm package code locally after review rather than via npx. - Ask the publisher for missing details: the npm package repository URL, package maintainer identity, why a raw private key is required, and whether a delegated/authenticated payment mechanism (wallet connect, signing via hardware wallet, or ephemeral key) is supported. - If you are uncomfortable supplying a private key or executing unverified remote code, do not install or run this skill.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
background-checkvk972azthakw22h9gyxzzv39ng1805hnrdue-diligencevk972azthakw22h9gyxzzv39ng1805hnrlatestvk972azthakw22h9gyxzzv39ng1805hnrlinkedinvk972azthakw22h9gyxzzv39ng1805hnrosintvk972azthakw22h9gyxzzv39ng1805hnrpeople-searchvk972azthakw22h9gyxzzv39ng1805hnrresearchvk972azthakw22h9gyxzzv39ng1805hnrx402vk972azthakw22h9gyxzzv39ng1805hnr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Find People (OSINT)

Research individuals using Open Source Intelligence gathering and AI-powered analysis.

Configuration

The private key must be available via one of these methods:

Option 1: Environment variable

export X402_PRIVATE_KEY="0x..."

Option 2: Config file (Recommended)

The script checks for x402-config.json in these locations (in order):

  1. Current directory: ./x402-config.json
  2. Home directory: ~/.x402-config.jsonRecommended
  3. Working directory: $PWD/x402-config.json

Create the config file:

{
  "private_key": "0x1234567890abcdef..."
}

Example (home directory - works for any user):

echo '{"private_key": "0x..."}' > ~/.x402-config.json

Usage

Run the research script with a person's name or description:

scripts/research.sh "<person query>"

The script:

  • Executes OSINT research with payment handling
  • Costs $0.15 USDC per request (Base network)
  • Returns comprehensive AI-processed intelligence report

Examples

User: "Find information about the founder of Ethereum"

scripts/research.sh "Vitalik Buterin Ethereum founder"

User: "Research the CEO of OpenAI"

scripts/research.sh "Sam Altman OpenAI CEO"

User: "Tell me about Elon Musk's career timeline"

scripts/research.sh "Elon Musk career history"

Capabilities

  • Professional background research
  • Career timeline verification
  • Due diligence on potential hires/partners
  • Competitive intelligence on industry leaders
  • Investor research on startup founders
  • Educational background verification
  • Public accomplishments and publications

Error Handling

  • "Payment failed: Not enough USDC" → Inform user to top up Base wallet with USDC
  • "X402 private key missing" → Guide user to configure private key (see Configuration above)
  • Timeout errors → The API has a 5-minute timeout; comprehensive research may take time

Use Cases

  • Hiring: Verify candidate backgrounds and experience
  • Partnerships: Due diligence on potential business partners
  • Investment: Research startup founders and leadership teams
  • Competitive Analysis: Track industry leaders and their moves
  • Journalism: Background research for interviews or articles

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…