Agentic X402
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears purpose-aligned, but it can let an agent use a private-key wallet to spend real crypto automatically, so it needs careful review and tight limits.
Install only if you are comfortable letting an agent operate a dedicated crypto wallet. Use testnet first, keep only small funds in the wallet, set strict payment limits, verify any paid URL or router address, and do not expose the private key stored in ~/.x402/.env.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent, a mistaken request, or a malicious paid endpoint could cause real wallet funds to be spent automatically within configured limits, potentially repeatedly.
The skill grants access to all x402 commands and explicitly describes automatic payment behavior. The artifacts mention per-payment limits, but not mandatory user confirmation, merchant/domain allowlists, or cumulative spend caps.
allowed-tools: Bash(x402:*) Bash(npm:*) Read ... enables agents to autonomously make crypto payments ... if the resource requires payment, it's handled automatically.
Use a dedicated low-balance wallet, start on testnet, set a strict X402_MAX_PAYMENT_USD, and require explicit user approval or an allowlist before pay/fetch/create-link actions.
A wrong or agent-chosen router address could cause irreversible blockchain transactions, gas costs, or movement of router funds.
The distribute command signs an on-chain transaction to a supplied router address and defaults to distributing the full router balance. The visible code does not show an interactive confirmation or dry-run step before signing.
else { distributeAmount = routerBalance; } ... const txHash = await client.walletClient.writeContract({ address: routerAddr, ... functionName: 'distribute', args: [usdcAddress, distributeAmount] });Verify router addresses out-of-band, add a dry-run/confirmation step, and consider amount caps or an allowlist before allowing an agent to run distribute.
If the key is exposed or the agent is allowed to overuse it, funds in that wallet can be spent or lost.
The private key is expected for x402 wallet signing and is disclosed, but it is a high-value credential that controls wallet funds.
`EVM_PRIVATE_KEY` | Your wallet private key (0x-prefixed). Used to sign payment authorizations. ... Your private key is stored in `~/.x402/.env`.
Never use a main wallet; use a dedicated wallet with limited funds, protect ~/.x402/.env, and rotate the wallet if the key may have been exposed.
Running the skill executes npm package code on the local machine.
The CLI may execute tsx via npx to run the bundled command files. This is normal for this Node-based CLI, but it still means installing/running the skill executes local package code and dependencies.
child = spawn('npx', ['tsx', cliPath, ...process.argv.slice(2)], { stdio: 'inherit', env });Install only from a trusted npm source and keep dependency review/lockfile checks in place.
Any text, URLs, or webhook endpoints provided for link creation are shared with the configured x402-links service.
Creating a payment link sends the supplied gated text, URL, and webhook information to the configured external link service. This is purpose-aligned, but privacy-relevant.
if (gatedText) requestBody.gatedText = gatedText; if (webhookUrl) requestBody.webhookUrl = webhookUrl; const apiUrl = `${config.x402LinksApiUrl}/api/links/programmatic`; ... body: JSON.stringify(requestBody)Only submit content intended to be hosted/gated by that service, and verify X402_LINKS_API_URL before using create-link.