Find People (x402)
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill matches its paid OSINT purpose, but it requires a blockchain private key and runs an unpinned npm package with that key despite not declaring a credential.
Review this carefully before installing. If you use it, use a dedicated low-balance wallet, inspect or pin the npm package, avoid storing a main private key in plaintext config files, and approve each paid OSINT query intentionally.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A wallet private key can authorize paid requests and potentially expose funds if the invoked package or environment is unsafe.
The script reads a wallet private key from local config and passes it as an environment variable to an external npm tool. This high-impact credential is not declared in the registry metadata.
PRIVATE_KEY=$(jq -r '.private_key' "$CONFIG_FILE" ...); export X402_PRIVATE_KEY="$PRIVATE_KEY"; ... npx -y @itzannetos/x402-tools-claude find-people "$QUERY"
Use only a dedicated low-balance x402/Base wallet, avoid main-wallet private keys, declare the credential requirement clearly, and ensure the invoked package is audited before use.
If the npm package changes or is compromised, the agent may execute unreviewed code with access to the user's payment key.
The skill runs an unpinned npm package via npx -y at runtime. The package code is not included in the artifact review and will receive the payment private key through the environment.
npx -y @itzannetos/x402-tools-claude find-people "$QUERY"
Pin the package version, provide an install spec or vendored/auditable code, and avoid exposing the private key to unreviewed runtime dependencies.
Repeated or unintended invocations could spend USDC, even though each request is low cost.
Each invocation performs a paid request. This is disclosed and aligned with the skill purpose, but users should notice the financial effect.
The script: - Executes OSINT research with payment handling - Costs $0.15 USDC per request (Base network)
Confirm paid searches before running them and keep only a small balance in the wallet used for this skill.