Gated Alpha
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is clear that it buys crypto alpha, but the provided instructions give an agent wallet-signing/payment authority and webhook-driven purchase logic without clear approval, spending, or verification safeguards.
Review this skill carefully before use. If you install it, use a separate low-balance wallet, never paste a main wallet private key into agent-visible code, require manual approval for every purchase, set strict spending limits, verify webhooks, and pin/review the x402 and viem dependencies.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or runtime mishandles this key, funds in that wallet could be spent or the wallet could be compromised.
The purchase workflow requires access to a wallet private key capable of signing x402/USDC payments, even though the registry metadata declares no primary credential.
const account = privateKeyToAccount('0x<your-private-key>');Use a dedicated low-balance wallet, keep the private key in a secrets manager or wallet service rather than source text, and require explicit user approval for each paid purchase.
The agent could make real USDC purchases, potentially repeatedly, based on incoming events or API responses.
The decision flow directs the agent to purchase automatically after simple filtering, and the payment wrapper signs the payment challenge without a documented confirmation, total budget, or recipient/amount validation step.
else: → Purchase via x402 ... // Automatically handles: 402 challenge -> sign ERC-3009 -> retry with payment header
Add explicit human confirmation, hard per-call and daily spend limits, validation of payment amount and recipient, and clear stop/unsubscribe controls before any paid call.
A spoofed or malformed webhook could influence the agent's purchase decisions if the receiving endpoint trusts webhook contents directly.
The provided webhook flow shows external messages driving the buy decision but does not show a signature, shared secret, origin check, or allowlist step before processing.
When a matching alpha drops, your endpoint receives: POST https://your-agent.xyz/hooks/alpha ... Acknowledge fast. Return 200 immediately, then process async.
Require signed webhooks or a shared secret, verify the sender, allowlist Gated Alpha URLs, and do not purchase solely from unauthenticated webhook payloads.
Users must rely on whatever package versions are present locally, which can affect security and reproducibility.
The skill depends on external npm packages, but the provided artifacts include no install spec or pinned versions. This is purpose-aligned but leaves dependency provenance to the user.
`@x402/core`, `@x402/evm`, `@x402/fetch`, and `viem` must be installed. Run from a directory where these packages exist in `node_modules`.
Install from trusted package registries, pin versions, review the dependency tree, and run the purchase code in an isolated environment.
The user may keep receiving alpha events, and downstream automation may keep reacting, until the subscription is disabled.
The webhook subscription is an ongoing external registration. It is disclosed and purpose-aligned, but it can continue delivering events after the initial setup.
Register a webhook once. New matching alpha is delivered to your endpoint the moment it drops.
Track subscription IDs, document how to unsubscribe, and pause downstream buying automation when the user no longer wants the service active.