Back to skill
Skillv0.1.3
ClawScan security
Cli · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 28, 2026, 5:51 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The CLI appears to implement the described x402r payment/dispute flows, but it requires and persists sensitive private keys and transmits payment metadata to a configurable external arbiter/pinning endpoints — design choices that are coherent with the purpose but carry non-trivial privacy/security risks that you should understand before use.
- Guidance
- This CLI appears to do what it says, but it uses and persists private keys and will send payment metadata to an arbiter server and (optionally) to Pinata. Before installing or using it: 1) Do not supply your primary/production private key — use a disposable test key for evaluation. 2) Review and set the arbiter URL and pinata JWT only to endpoints you trust (default is localhost). 3) Inspect ~/.x402r/config.json and ~/.x402r/*.json after running and remove any private keys you don't want persisted. 4) Be cautious about running the included e2e test — it explicitly writes a merchant private key into last-payment.json in the test mode. 5) If you need the agent to use this skill autonomously, consider the additional risk of stored credentials and restrict invocation or use ephemeral keys. If you want more certainty, provide the maintainer/source (homepage/repo) and a provenance check so I can re-evaluate with higher confidence.
Review Dimensions
- Purpose & Capability
- noteThe code and SKILL.md align: the tool signs payments, submits on-chain refund requests, pins evidence to IPFS, and queries an arbiter. There are no obvious unrelated capabilities (no cloud providers, no unexpected admin APIs). However the skill expects a private key/operator config to operate even though the registry metadata lists no required env vars; configuration is handled via 'x402r config' and persisted to ~/.x402r/config.json.
- Instruction Scope
- noteSKILL.md limits runtime instructions to paying, disputing, status/show/verify flows implemented in the included CLI. The runtime will read/write config and state in the user's home (~/.x402r/), load a .env if present in the package layout, post payment metadata to the configured arbiter, and optionally call Pinata with a JWT. It does not instruct the agent to read arbitrary unrelated system files, but it does persist and reuse local state (including potentially sensitive fields).
- Install Mechanism
- okThis is instruction-only (no external install spec). The package includes source files but there are no downloads or URL-based installers in the skill bundle; runtime uses standard npm/Node dependencies and local filesystem access. No high-risk remote install steps were found.
- Credentials
- concernFunctionality legitimately requires a private key, operator address, arbiter URL, and optionally a Pinata JWT. Those are sensitive. Although the registry lists no required env vars, the CLI relies on PRIVATE_KEY, OPERATOR_ADDRESS, ARBITER_URL, PINATA_JWT, etc. The tool will persist config (including the private key) to ~/.x402r/config.json and may POST payment metadata to your configured arbiter URL — this is proportional to the purpose but high-risk if you provide production keys or point arbiter/pinata to untrusted endpoints.
- Persistence & Privilege
- concernThe CLI writes persistent state and configuration to the user's home (~/.x402r/config.json, last-payment.json, last-dispute.json). That includes the private key if you run 'config --key'. The skill is not marked 'always: true'. Allowing autonomous agent invocation (the default) together with persisted private keys increases the blast radius if you permit the agent to call the skill without manual confirmation.