Name: x402-agent Security Report — Trusted | ClawSafe
Item: x402-agent
Rating: 95
Author: ClawSafe

This report was generated in Chinese. Some content may be in Chinese.

5 /100

x402-agent

Detect and pay x402 crypto paywalls automatically. When your agent gets a 402 Payment Required response with x402 JSON, this skill handles payment via Coinbase facilitator on Base network with USDC.

x402加密支付工具包，用于AI Agent自动支付HTTP 402加密货币付墙。代码质量高，文档完整，无恶意行为，声明能力与实际行为一致。

Skill Namex402-agent

Duration49.3s

Enginepi

ClawHub x402 Paywall Kit v1.0.0 by tara-quinn-ai

📥 160

ClawHub Verdict Suspicious potential_exfiltration

✓

Safe to install

批准使用。该技能为合法的区块链支付工具，依赖官方@x402包和viem库，安全性符合预期。

Findings 2 items

Severity	Finding	Location
Info	npm依赖使用宽松版本锁定 Supply Chain 依赖声明使用^版本范围（如^2.5.0、^2.0.0），可能拉取非预期版本。npm生态常见实践，影响有限。 `"@x402/core": "^2.5.0"` → 如需更高安全性，可改为固定版本号（如2.5.0）	`packages/*/package.json`
Info	文档中的API密钥占位符 Doc Mismatch clawmart/PUBLISHING.md包含API_KEY="your-api-key-here"占位符。这是文档示例，非真实凭证，风险极低。 `export CLAWMART_API_KEY="your-api-key-here"` → 无需修复 - 仅为文档示例	`clawmart/PUBLISHING.md:21`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	packages/agent/src/interceptor.ts - HTTP请求检测402状态并重试
Environment	`READ`	`READ`	✓ Aligned	packages/agent/src/interceptor.ts - 仅读取X402_WALLET_PRIVATE_KEY
Filesystem	`WRITE`	`WRITE`	✓ Aligned	packages/shared/src/policy/index.ts - 仅写入spend和log文件
Shell	`NONE`	`NONE`	—	N/A - 无shell执行

1 High 34 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your-api-key-here"

clawmart/PUBLISHING.md:21

💰

Medium Wallet Address 加密货币钱包地址

0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913

README.md:27

🔗

Medium External URL 外部 URL

https://api.example.com/premium/data

README.md:33

🔗

Medium External URL 外部 URL

https://taraquinn.ai

SKILL.md:8

💰

Medium Wallet Address 加密货币钱包地址

0x036CbD53842c5426634e7929541eC2318f3dCF7e

SKILL.md:110

🔗

Medium External URL 外部 URL

https://api.example.com/premium/weather

SKILL.md:145

🔗

Medium External URL 外部 URL

https://api.example.com/premium

announcements/community-post.md:64

🔗

Medium External URL 外部 URL

https://www.shopclawmart.com/listings/x402-paywall-kit

announcements/community-post.md:88

🔗

Medium External URL 外部 URL

https://www.shopclawmart.com

clawmart/PUBLISHING.md:5

🔗

Medium External URL 外部 URL

https://www.shopclawmart.com/api/v1/listings

clawmart/PUBLISHING.md:23

🔗

Medium External URL 外部 URL

https://www.shopclawmart.com/api/v1/listings/$

clawmart/PUBLISHING.md:36

🔗

Medium External URL 外部 URL

https://faucet.circle.com

demo/README.md:23

🔗

Medium External URL 外部 URL

https://portal.cdp.coinbase.com/products/faucet

demo/README.md:24

🔗

Medium External URL 外部 URL

https://www.alchemy.com/faucets/base-sepolia

demo/README.md:27

🔗

Medium External URL 外部 URL

https://facilitator.cdp.coinbase.com

docs/PRD.md:199

💰

Medium Wallet Address 加密货币钱包地址

0x5b99070C84aB6297F2c1a25490c53eE483C8B499

docs/PRD.md:234

🔗

Medium External URL 外部 URL

https://x402.org

docs/PRD.md:746

🔗

Medium External URL 外部 URL

https://docs.cdp.coinbase.com/x402

docs/PRD.md:747

🔗

Medium External URL 外部 URL

https://www.quicknode.com/guides/x402

docs/PRD.md:748

🔗

Medium External URL 外部 URL

https://docs.openclaw.ai/tools/clawhub

docs/PRD.md:751

🔗

Medium External URL 外部 URL

https://snyk.io/blog/openclaw-skills-credential-leaks-research/

docs/PRD.md:752

🔗

Medium External URL 外部 URL

https://portal.cdp.coinbase.com

integration/README.md:32

🔗

Medium External URL 外部 URL

https://api.example.com/premium-data

packages/agent/README.md:32

💰

Medium Wallet Address 加密货币钱包地址

0x70997970C51812dc3A010C7d01b50e0d17dc79C8

packages/agent/src/__tests__/interceptor.test.ts:19

🔗

Medium External URL 外部 URL

https://custom-facilitator.example.com

packages/express/src/__tests__/middleware.test.ts:141

🔗

Medium External URL 外部 URL

https://x402.org/facilitator

packages/express/src/middleware.ts:35

🔗

Medium External URL 外部 URL

https://api.example.com/data

packages/shared/README.md:60

🔗

Medium External URL 外部 URL

https://taraquinn.ai/schemas/x402-policy.json

references/policy.example.json:2

🔗

Medium External URL 外部 URL

https://dashboard.stripe.com/products

taraquinn-integration/INTEGRATION.md:23

🔗

Medium External URL 外部 URL

https://www.npmjs.com/org/x402-kit

taraquinn-integration/product-card.tsx:118

🔗

Medium External URL 外部 URL

https://clawhub.ai/skills/x402-agent

taraquinn-integration/product.json:35

🔗

Medium External URL 外部 URL

https://taraquinn.ai/api/products/x402-paywall-kit/download

taraquinn-integration/use-x402-payment.ts:15

🔗

Medium External URL 外部 URL

https://clawhub.ai

x402-agent/PUBLISHING.md:47

📧

Info Email 邮箱地址

[email protected]

clawmart/listing.json:21

File Tree

66 files · 198.8 KB · 6078 lines

Markdown 19f · 2853L TypeScript 32f · 2808L JSON 13f · 353L Shell 1f · 54L JavaScript 1f · 10L

├─ ▾ 📁 announcements

│ ├─ 📝 community-post.md Markdown 93L · 2.6 KB

│ ├─ 📝 LAUNCH-CHECKLIST.md Markdown 58L · 1.9 KB

│ └─ 📝 tweets.md Markdown 126L · 2.9 KB

├─ ▾ 📁 clawmart

│ ├─ 🔧 bundle.sh Shell 54L · 1.5 KB

│ ├─ 📋 listing.json JSON 27L · 1.9 KB

│ └─ 📝 PUBLISHING.md Markdown 96L · 2.8 KB

├─ ▾ 📁 demo

│ ├─ 📜 agent.ts TypeScript 98L · 3.1 KB

│ ├─ 📝 README.md Markdown 131L · 3.8 KB

│ └─ 📜 server.ts TypeScript 79L · 2.4 KB

├─ ▾ 📁 docs

│ ├─ 📝 PRD.md Markdown 752L · 33.6 KB

│ └─ 📝 PROGRESS.md Markdown 78L · 9.2 KB

├─ ▾ 📁 integration

│ ├─ 📜 base-sepolia.test.ts TypeScript 121L · 4.0 KB

│ └─ 📝 README.md Markdown 60L · 2.3 KB

├─ ▾ 📁 packages

│ ├─ ▾ 📁 agent

│ │ ├─ ▾ 📁 src

│ │ │ ├─ ▾ 📁 __tests__

│ │ │ │ └─ 📜 interceptor.test.ts TypeScript 294L · 9.2 KB

│ │ │ ├─ 📜 index.ts TypeScript 16L · 650 B

│ │ │ └─ 📜 interceptor.ts TypeScript 215L · 6.0 KB

│ │ ├─ 📋 package.json JSON 49L · 1.2 KB

│ │ ├─ 📝 README.md Markdown 86L · 2.9 KB

│ │ ├─ 📋 tsconfig.json JSON 12L · 211 B

│ │ ├─ 📜 tsup.config.ts TypeScript 20L · 409 B

│ │ └─ 📜 vitest.config.ts TypeScript 8L · 142 B

│ ├─ ▾ 📁 express

│ │ ├─ ▾ 📁 src

│ │ │ ├─ ▾ 📁 __tests__

│ │ │ │ └─ 📜 middleware.test.ts TypeScript 256L · 7.2 KB

│ │ │ ├─ 📜 index.ts TypeScript 16L · 574 B

│ │ │ └─ 📜 middleware.ts TypeScript 183L · 5.4 KB

│ │ ├─ 📋 package.json JSON 52L · 1.3 KB

│ │ ├─ 📝 README.md Markdown 125L · 3.2 KB

│ │ ├─ 📋 tsconfig.json JSON 12L · 211 B

│ │ ├─ 📜 tsup.config.ts TypeScript 20L · 420 B

│ │ └─ 📜 vitest.config.ts TypeScript 8L · 144 B

│ └─ ▾ 📁 shared

│ ├─ ▾ 📁 src

│ │ ├─ ▾ 📁 __tests__

│ │ │ ├─ 📜 logger.test.ts TypeScript 147L · 4.2 KB

│ │ │ └─ 📜 policy.test.ts TypeScript 205L · 7.6 KB

│ │ ├─ ▾ 📁 logger

│ │ │ └─ 📜 index.ts TypeScript 55L · 1.4 KB

│ │ ├─ ▾ 📁 policy

│ │ │ └─ 📜 index.ts TypeScript 181L · 4.7 KB

│ │ ├─ ▾ 📁 types

│ │ │ └─ 📜 index.ts TypeScript 70L · 1.7 KB

│ │ └─ 📜 index.ts TypeScript 5L · 289 B

│ ├─ 📋 package.json JSON 75L · 1.8 KB

│ ├─ 📝 README.md Markdown 99L · 2.7 KB

│ ├─ 📋 tsconfig.json JSON 9L · 160 B

│ ├─ 📜 tsup.config.ts TypeScript 25L · 538 B

│ └─ 📜 vitest.config.ts TypeScript 8L · 143 B

├─ ▾ 📁 references

│ ├─ 📜 agent-setup.example.ts TypeScript 53L · 1.8 KB

│ └─ 📋 policy.example.json JSON 12L · 422 B

├─ ▾ 📁 taraquinn-integration

│ ├─ 📝 INTEGRATION.md Markdown 121L · 3.7 KB

│ ├─ 📜 pay-with-usdc-button.tsx TypeScript 130L · 3.6 KB

│ ├─ 📜 product-card.tsx TypeScript 122L · 3.7 KB

│ ├─ 📋 product.json JSON 37L · 1.3 KB

│ ├─ 📝 SELF-INTEGRATION.md Markdown 195L · 5.9 KB

│ ├─ 📜 stripe-checkout.ts TypeScript 103L · 3.0 KB

│ ├─ 📜 usdc-paywall.ts TypeScript 58L · 1.9 KB

│ ├─ 📜 use-x402-payment.ts TypeScript 138L · 4.2 KB

│ └─ 📜 wagmi-config.ts TypeScript 38L · 1.1 KB

├─ ▾ 📁 x402-agent

│ ├─ ▾ 📁 references

│ │ ├─ 📜 agent-setup.example.ts TypeScript 53L · 1.8 KB

│ │ └─ 📋 policy.example.json JSON 12L · 422 B

│ ├─ 📝 PUBLISHING.md Markdown 70L · 1.6 KB

│ └─ 📝 SKILL.md Markdown 206L · 7.0 KB

├─ ▾ 📁 x402-agent-free

│ ├─ ▾ 📁 references

│ │ └─ 📜 basic-setup.example.ts TypeScript 67L · 1.8 KB

│ ├─ 📝 PUBLISHING.md Markdown 67L · 1.6 KB

│ └─ 📝 SKILL.md Markdown 142L · 4.8 KB

├─ 📜 eslint.config.mjs JavaScript 10L · 236 B

├─ 📋 package.json JSON 33L · 823 B

├─ 📝 README.md Markdown 142L · 4.1 KB

├─ 📝 SKILL.md Markdown 206L · 7.0 KB

├─ 📋 tsconfig.base.json JSON 15L · 341 B

├─ 📋 tsconfig.json JSON 8L · 145 B

├─ 📜 vitest.config.ts TypeScript 8L · 153 B

└─ 📜 vitest.integration.config.ts TypeScript 8L · 165 B

Dependencies 6 items

Package	Version	Source	Known Vulns	Notes
`@x402/core`	`^2.5.0`	npm	No	官方x402协议核心库
`@x402/evm`	`^2.5.0`	npm	No	官方EVM签名库
`@x402/fetch`	`^2.5.0`	npm	No	官方fetch包装器
`@x402/express`	`^2.5.0`	npm	No	官方Express中间件
`viem`	`^2.0.0`	npm	No	主流以太坊开发库，版本范围宽松
`tsup`	`^8.0.0`	npm	No	构建工具，仅在开发环境使用

Security Positives

✓ 无shell执行、subprocess调用或命令注入

✓ 无凭证收割、环境变量遍历或敏感数据读取

✓ 无base64编码、eval()执行或代码混淆

✓ 无数据外泄、外部C2通信或可疑网络请求

✓ 文档完整，声明能力与实际行为完全一致

✓ 正确使用viem官方库处理区块链交易

✓ 环境变量处理规范，从不硬编码私钥

✓ 包含完整的策略引擎和审计日志功能

✓ 单元测试覆盖充分（294行测试代码）

Scan Report

Findings 2 items

File Tree

Dependencies 6 items

Security Positives