Cli
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its payment-dispute purpose, but it gives an agent wallet private-key/payment authority through an unpinned CLI and lacks clear built-in payment approval limits.
Review carefully before installing. If you use it, use a dedicated low-balance wallet, pin and verify the CLI package version, confirm every merchant URL and payment amount yourself, avoid storing valuable private keys, and do not upload sensitive evidence unless you intend it to be externally stored.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent invokes `pay` on the wrong or malicious merchant URL, the wallet can authorize an escrow payment without an additional human confirmation step.
After fetching payment requirements from a user/agent-supplied URL, the CLI signs a payment payload and immediately retries the request with payment headers. The artifacts do not show a confirmation prompt, amount cap, merchant allowlist, or other guardrail before funds are authorized.
const paymentPayload = await httpClient.createPaymentPayload(paymentRequired); ... const res200 = await fetch(url, { headers: paymentHeaders });Use only a dedicated low-balance wallet, verify the merchant URL and amount out-of-band, and require explicit user confirmation before any `pay` or `dispute` command that signs or submits transactions.
A stored or environment-provided private key could be used by the CLI to sign payments and on-chain dispute actions; plaintext local storage increases the consequence of local compromise or accidental sharing.
The CLI resolves a wallet private key from environment or config file and writes merged config to `~/.x402r/config.json`. That private key controls payment authority, while the registry metadata declares no primary credential or required env vars.
privateKey: process.env.PRIVATE_KEY || file.privateKey, ... fs.writeFileSync(CONFIG_FILE, JSON.stringify(merged, null, 2));
Do not use a primary wallet. Prefer a throwaway/test wallet with minimal funds, avoid storing long-lived private keys if possible, restrict `~/.x402r/config.json` permissions, and rotate the key if exposed.
A changed or compromised npm package could run with access to the supplied private key and the user's local environment.
The setup command runs an unpinned npm package with `--yes` auto-confirmation and passes a wallet private key. Because the registry source is unknown and no install spec pins the reviewed artifact, the executed package may not be the exact reviewed code.
npx --yes @x402r/cli config --key <private-key> --arbiter-url https://www.moltarbiter.com/arbiter
Pin an exact package version or audited source, verify package provenance before use, and avoid supplying a valuable wallet key to an unpinned remote CLI.
Evidence details or attached file contents may be uploaded to an external pinning service and referenced on-chain by CID.
Dispute evidence is sent to Pinata/IPFS when a Pinata JWT is configured. This is aligned with the dispute workflow, but evidence may include user-provided text or file attachments and can become externally stored/persistent.
await fetch("https://api.pinata.cloud/pinning/pinJSONToIPFS", { ... Authorization: `Bearer ${config.pinataJwt}`, body: JSON.stringify({ pinataContent: data, ... }) })Review evidence files carefully before submission, avoid including secrets or unrelated personal data, and understand the retention/publicity implications of IPFS pinning.
Running the test file can execute CLI commands with the current environment, including wallet-related variables.
Shell execution is present in the integration test harness to run CLI commands. It is not part of the registered CLI command workflow shown in `bin/x402r.ts`, but it would execute local commands if a user runs the tests.
return execSync(cmd, { cwd: PROJECT_ROOT, env: cliEnv, encoding: "utf-8", timeout: 120000, });Do not run test scripts with production private keys or unrestricted environments.