tron-x402-payment-demo
WarnAudited by ClawScan on May 10, 2026.
Overview
This demo is coherent with x402 payments, but it asks the agent to use a TRON private key and automatically perform blockchain payment/signing without clear spending limits or approval controls.
Treat this as a review-needed wallet/payment skill. Only use it with a limited test wallet, verify the TRON network, recipient, and amount before signing, and do not install it unless the helper payment skill and credential requirements are clearly disclosed and reviewed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could unintentionally allow the agent to sign or pay from a TRON wallet without fully understanding the scope.
The skill expects access to a TRON private key and instructs permit signing, which can authorize wallet actions. The provided registry requirements say no required env vars or primary credential, and the workflow does not specify amount, recipient, or approval boundaries.
"env":["TRON_PRIVATE_KEY"] ... "signing permits"
Require explicit wallet setup disclosure, show the exact payment amount and recipient, use a limited test wallet, and require user confirmation before any signing or payment.
The agent may perform a real or testnet blockchain payment automatically when the demo is triggered.
The workflow makes payment automatic and does not describe user approval, spend limits, cancellation, or verification before a high-impact payment action. It also fetches from an HTTP URL, increasing the need for explicit verification before payment negotiation.
"Perform the payment and resource acquisition automatically as guided by the protocol"
Do not perform payment automatically; display the resource URL, network, amount, recipient, and permit details, then ask the user to approve before signing.
Users cannot verify from these artifacts what code or instructions will actually handle their wallet key and payment flow.
The payment and signing logic is delegated to another skill that is not included in the manifest, install spec, or reviewed files. Because that missing dependency handles wallet-sensitive behavior, the provenance gap is material.
"follow the instructions provided by the `x402_payment_tron` skill"
Declare and pin the dependency, include the relevant reviewed implementation or installation details, and document exactly what the helper skill is allowed to do.