x402-layer Security Report — Trusted | ClawSafe

5 /100

x402-layer

Web3 payment layer for USDC transactions on Base/Ethereum/Polygon/BSC/Monad/Solana

This is a legitimate Web3 cryptocurrency payment processing skill (x402 Layer) with proper security practices including input validation, path traversal protection, and timing-safe operations. No malicious behavior detected.

Skill Namex402-layer

Duration70.8s

Enginepi

✓

Safe to install

No action required. This skill is safe to use for its documented purpose of x402 API payment processing, endpoint management, and blockchain wallet operations.

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md declares Write/Edit tools; consume_product.py writes downloaded files w…
Network	`READ`	`READ`	✓ Aligned	SKILL.md declares WebFetch; all scripts make HTTP requests to api.x402layer.cc
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md declares Bash; ows_cli.py and awal_bridge.py use subprocess.run (no she…
Environment	`NONE`	`READ`	✓ Aligned	SKILL.md documents environment variables for credentials (PRIVATE_KEY, WALLET_AD…

45 findings

🔗

Medium External URL 外部 URL

https://docs.x402layer.cc/agentic-access/openclaw-skill

SKILL.md:23

🔗

Medium External URL 外部 URL

https://studio.x402layer.cc

SKILL.md:27

🔗

Medium External URL 外部 URL

https://api.example.com

SKILL.md:203

🔗

Medium External URL 外部 URL

https://my-server.com/webhook

SKILL.md:206

🔗

Medium External URL 外部 URL

https://api.x402layer.cc/e/weather-data

SKILL.md:219

🔗

Medium External URL 外部 URL

https://api.example.com/agent

SKILL.md:340

🔗

Medium External URL 外部 URL

https://api.x402layer.cc

SKILL.md:413

🔗

Medium External URL 外部 URL

https://api.x402layer.cc/e/

SKILL.md:459

🔗

Medium External URL 外部 URL

https://api.x402layer.cc/api/marketplace

SKILL.md:460

🔗

Medium External URL 外部 URL

https://api.x402layer.cc/api/credits/*

SKILL.md:461

🔗

Medium External URL 外部 URL

https://api.x402layer.cc/agent/*

SKILL.md:462

🔗

Medium External URL 外部 URL

https://mcp.x402layer.cc/mcp

SKILL.md:463

🔗

Medium External URL 外部 URL

https://studio.x402layer.cc/docs/agentic-access/mcp-server

SKILL.md:470

🔗

Medium External URL 外部 URL

https://studio.x402layer.cc/docs/developer/sdk-receipts

SKILL.md:471

🔗

Medium External URL 外部 URL

https://api.example.com/fallback

references/agent-registry-reputation.md:89

🔗

Medium External URL 外部 URL

https://api.x402layer.cc/agent/endpoints

references/agentic-endpoints.md:12

🔗

Medium External URL 外部 URL

https://api.x402layer.cc/api/credits/balance?endpoint=

references/credit-based.md:16

🔗

Medium External URL 外部 URL

https://studio.x402layer.cc/pay/credits/

references/credit-based.md:35

🔗

Medium External URL 外部 URL

https://api.x402layer.cc/e/weather-api

references/marketplace.md:32

🔗

Medium External URL 外部 URL

https://api.x402layer.cc/e/my-endpoint

references/pay-per-request.md:18

💰

Medium Wallet Address 加密货币钱包地址

0xCD95802A4aBddD75A5750DD2d6935007eF268275

references/pay-per-request.md:75

💰

Medium Wallet Address 加密货币钱包地址

0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913

references/pay-per-request.md:76

🔗

Medium External URL 外部 URL

https://studio.x402layer.cc/pay/

references/payments-integration.md:64

🔗

Medium External URL 外部 URL

https://studio.x402layer.cc/pay/request/

references/payments-integration.md:65

🔗

Medium External URL 外部 URL

https://docs.xmtp.org/agents/get-started/build-an-agent

references/xmtp-support.md:81

🔗

Medium External URL 外部 URL

https://docs.xmtp.org/chat-apps/core-messaging/manage-inboxes

references/xmtp-support.md:82

🔗

Medium External URL 外部 URL

https://docs.xmtp.org/agents/build-agents/local-database

references/xmtp-support.md:83

🔗

Medium External URL 外部 URL

https://api.x402layer.cc/e/gifu

scripts/awal_bridge.py:97

🔗

Medium External URL 外部 URL

https://api.x402layer.cc/e/gifu?action=purchase

scripts/awal_cli.py:50

🔗

Medium External URL 外部 URL

https://studio.x402layer.cc/pay/pussio

scripts/consume_product.py:13

🔗

Medium External URL 外部 URL

https://api.x402layer.cc/storage/product/abc123-uuid

scripts/consume_product.py:14

🔗

Medium External URL 外部 URL

https://api.x402layer.cc/storage/product/

scripts/consume_product.py:69

🔗

Medium External URL 外部 URL

https://mainnet.base.org

scripts/register_agent.py:29

🔗

Medium External URL 外部 URL

https://sepolia.base.org

scripts/register_agent.py:30

🔗

Medium External URL 外部 URL

https://cloudflare-eth.com

scripts/register_agent.py:31

🔗

Medium External URL 外部 URL

https://ethereum-sepolia-rpc.publicnode.com

scripts/register_agent.py:32

🔗

Medium External URL 外部 URL

https://polygon-rpc.com

scripts/register_agent.py:33

🔗

Medium External URL 外部 URL

https://rpc-amoy.polygon.technology

scripts/register_agent.py:34

🔗

Medium External URL 外部 URL

https://bsc-dataseed.binance.org

scripts/register_agent.py:35

🔗

Medium External URL 外部 URL

https://data-seed-prebsc-1-s1.binance.org:8545

scripts/register_agent.py:36

🔗

Medium External URL 外部 URL

https://rpc.monad.xyz

scripts/register_agent.py:37

🔗

Medium External URL 外部 URL

https://testnet-rpc.monad.xyz

scripts/register_agent.py:38

🔗

Medium External URL 外部 URL

https://api.devnet.solana.com

scripts/register_agent.py:292

🔗

Medium External URL 外部 URL

https://api.mainnet-beta.solana.com

scripts/register_agent.py:292

🔗

Medium External URL 外部 URL

https://api.x402layer.cc/.well-known/jwks.json

scripts/verify_webhook_payment.py:31

File Tree

43 files · 221.9 KB · 6980 lines

Python 28f · 4817L Markdown 13f · 1861L JavaScript 1f · 286L Text 1f · 16L

├─ ▾ 📁 references

│ ├─ 📝 agent-registry-reputation.md Markdown 154L · 4.5 KB

│ ├─ 📝 agentic-endpoints.md Markdown 94L · 2.3 KB

│ ├─ 📝 agentkit-benefits.md Markdown 87L · 2.6 KB

│ ├─ 📝 credit-based.md Markdown 78L · 1.7 KB

│ ├─ 📝 marketplace.md Markdown 48L · 1.2 KB

│ ├─ 📝 mcp-control-plane.md Markdown 129L · 3.3 KB

│ ├─ 📝 openwallet-ows.md Markdown 123L · 3.5 KB

│ ├─ 📝 pay-per-request.md Markdown 214L · 6.1 KB

│ ├─ 📝 payment-signing.md Markdown 88L · 2.3 KB

│ ├─ 📝 payments-integration.md Markdown 174L · 4.8 KB

│ ├─ 📝 webhooks-verification.md Markdown 79L · 1.8 KB

│ └─ 📝 xmtp-support.md Markdown 97L · 2.8 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 agentkit_support.py Python 153L · 5.4 KB

│ ├─ 🐍 awal_bridge.py Python 154L · 4.6 KB

│ ├─ 🐍 awal_cli.py Python 106L · 3.4 KB

│ ├─ 🐍 check_credits.py Python 76L · 1.7 KB

│ ├─ 🐍 consume_credits.py Python 80L · 2.3 KB

│ ├─ 🐍 consume_product.py Python 333L · 10.3 KB

│ ├─ 🐍 create_endpoint.py Python 306L · 11.5 KB

│ ├─ 🐍 discover_marketplace.py Python 157L · 5.0 KB

│ ├─ 🐍 erc8004_wallet_client.py Python 102L · 2.9 KB

│ ├─ 🐍 list_agents.py Python 82L · 2.4 KB

│ ├─ 🐍 list_my_endpoints.py Python 73L · 2.3 KB

│ ├─ 🐍 list_on_marketplace.py Python 164L · 5.3 KB

│ ├─ 🐍 manage_endpoint.py Python 255L · 8.8 KB

│ ├─ 🐍 manage_webhook.py Python 129L · 4.0 KB

│ ├─ 🐍 network_selection.py Python 65L · 2.2 KB

│ ├─ 🐍 ows_cli.py Python 166L · 6.1 KB

│ ├─ 🐍 pay_base.py Python 224L · 7.6 KB

│ ├─ 🐍 pay_solana.py Python 88L · 2.7 KB

│ ├─ 🐍 recharge_credits.py Python 163L · 4.9 KB

│ ├─ 🐍 register_agent.py Python 434L · 14.6 KB

│ ├─ 🐍 solana_signing.py Python 325L · 10.7 KB

│ ├─ 🐍 submit_feedback.py Python 136L · 4.0 KB

│ ├─ 🐍 support_auth.py Python 104L · 2.8 KB

│ ├─ 🐍 support_threads.py Python 183L · 6.5 KB

│ ├─ 🐍 topup_endpoint.py Python 139L · 3.8 KB

│ ├─ 🐍 update_agent.py Python 190L · 7.1 KB

│ ├─ 🐍 verify_webhook_payment.py Python 250L · 7.9 KB

│ ├─ 🐍 wallet_signing.py Python 180L · 5.8 KB

│ └─ 📜 xmtp_support.mjs JavaScript 286L · 8.7 KB

├─ 📄 requirements.txt Text 16L · 355 B

└─ 📝 SKILL.md Markdown 496L · 19.5 KB

Dependencies 6 items

Package	Version	Source	Known Vulns	Notes
`eth-account`	`>=0.10.0`	pip	No	Version not pinned
`web3`	`>=6.0.0`	pip	No	Version not pinned
`requests`	`>=2.28.0`	pip	No	Version not pinned
`pyjwt`	`>=2.8.0`	pip	No	Version not pinned
`cryptography`	`>=42.0.0`	pip	No	Version not pinned
`solders`	`>=0.20.0`	pip	No	Version not pinned

Security Positives

✓ Input validation in awal_bridge.py rejects shell metacharacters (;&|`$()<>!)

✓ Path traversal protection in consume_product.py using os.path.basename()

✓ Timing-safe HMAC comparison in verify_webhook_payment.py (hmac.compare_digest)

✓ Explicit documentation that .env files are not auto-loaded

✓ No shell=True in subprocess calls - uses list-based arguments

✓ Clear documentation of least-privilege credential requirements

✓ Subprocess commands built from validated inputs only

✓ All network requests go to documented x402 API endpoints

✓ No base64 piping into bash or eval patterns

✓ No credential exfiltration or data theft patterns

✓ Proper wallet signing for blockchain transactions (legitimate crypto operations)

Scan Report

File Tree

Dependencies 6 items

Security Positives