x402-layer 安全扫描报告 — 可信 | ClawSafe

5 /100

x402-layer

Web3 payment layer for USDC transactions on Base/Ethereum/Polygon/BSC/Monad/Solana

This is a legitimate Web3 cryptocurrency payment processing skill (x402 Layer) with proper security practices including input validation, path traversal protection, and timing-safe operations. No malicious behavior detected.

技能名称x402-layer

分析耗时70.8s

引擎pi

✓

可以安装

No action required. This skill is safe to use for its documented purpose of x402 API payment processing, endpoint management, and blockchain wallet operations.

资源类型	声明权限	推断权限	状态	证据
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md declares Write/Edit tools; consume_product.py writes downloaded files w…
网络访问	`READ`	`READ`	✓ 一致	SKILL.md declares WebFetch; all scripts make HTTP requests to api.x402layer.cc
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md declares Bash; ows_cli.py and awal_bridge.py use subprocess.run (no she…
环境变量	`NONE`	`READ`	✓ 一致	SKILL.md documents environment variables for credentials (PRIVATE_KEY, WALLET_AD…

45 项发现

🔗

中危外部 URL 外部 URL

https://docs.x402layer.cc/agentic-access/openclaw-skill

SKILL.md:23

🔗

中危外部 URL 外部 URL

https://studio.x402layer.cc

SKILL.md:27

🔗

中危外部 URL 外部 URL

https://api.example.com

SKILL.md:203

🔗

中危外部 URL 外部 URL

https://my-server.com/webhook

SKILL.md:206

🔗

中危外部 URL 外部 URL

https://api.x402layer.cc/e/weather-data

SKILL.md:219

🔗

中危外部 URL 外部 URL

https://api.example.com/agent

SKILL.md:340

🔗

中危外部 URL 外部 URL

https://api.x402layer.cc

SKILL.md:413

🔗

中危外部 URL 外部 URL

https://api.x402layer.cc/e/

SKILL.md:459

🔗

中危外部 URL 外部 URL

https://api.x402layer.cc/api/marketplace

SKILL.md:460

🔗

中危外部 URL 外部 URL

https://api.x402layer.cc/api/credits/*

SKILL.md:461

🔗

中危外部 URL 外部 URL

https://api.x402layer.cc/agent/*

SKILL.md:462

🔗

中危外部 URL 外部 URL

https://mcp.x402layer.cc/mcp

SKILL.md:463

🔗

中危外部 URL 外部 URL

https://studio.x402layer.cc/docs/agentic-access/mcp-server

SKILL.md:470

🔗

中危外部 URL 外部 URL

https://studio.x402layer.cc/docs/developer/sdk-receipts

SKILL.md:471

🔗

中危外部 URL 外部 URL

https://api.example.com/fallback

references/agent-registry-reputation.md:89

🔗

中危外部 URL 外部 URL

https://api.x402layer.cc/agent/endpoints

references/agentic-endpoints.md:12

🔗

中危外部 URL 外部 URL

https://api.x402layer.cc/api/credits/balance?endpoint=

references/credit-based.md:16

🔗

中危外部 URL 外部 URL

https://studio.x402layer.cc/pay/credits/

references/credit-based.md:35

🔗

中危外部 URL 外部 URL

https://api.x402layer.cc/e/weather-api

references/marketplace.md:32

🔗

中危外部 URL 外部 URL

https://api.x402layer.cc/e/my-endpoint

references/pay-per-request.md:18

💰

中危钱包地址加密货币钱包地址

0xCD95802A4aBddD75A5750DD2d6935007eF268275

references/pay-per-request.md:75

💰

中危钱包地址加密货币钱包地址

0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913

references/pay-per-request.md:76

🔗

中危外部 URL 外部 URL

https://studio.x402layer.cc/pay/

references/payments-integration.md:64

🔗

中危外部 URL 外部 URL

https://studio.x402layer.cc/pay/request/

references/payments-integration.md:65

🔗

中危外部 URL 外部 URL

https://docs.xmtp.org/agents/get-started/build-an-agent

references/xmtp-support.md:81

🔗

中危外部 URL 外部 URL

https://docs.xmtp.org/chat-apps/core-messaging/manage-inboxes

references/xmtp-support.md:82

🔗

中危外部 URL 外部 URL

https://docs.xmtp.org/agents/build-agents/local-database

references/xmtp-support.md:83

🔗

中危外部 URL 外部 URL

https://api.x402layer.cc/e/gifu

scripts/awal_bridge.py:97

🔗

中危外部 URL 外部 URL

https://api.x402layer.cc/e/gifu?action=purchase

scripts/awal_cli.py:50

🔗

中危外部 URL 外部 URL

https://studio.x402layer.cc/pay/pussio

scripts/consume_product.py:13

🔗

中危外部 URL 外部 URL

https://api.x402layer.cc/storage/product/abc123-uuid

scripts/consume_product.py:14

🔗

中危外部 URL 外部 URL

https://api.x402layer.cc/storage/product/

scripts/consume_product.py:69

🔗

中危外部 URL 外部 URL

https://mainnet.base.org

scripts/register_agent.py:29

🔗

中危外部 URL 外部 URL

https://sepolia.base.org

scripts/register_agent.py:30

🔗

中危外部 URL 外部 URL

https://cloudflare-eth.com

scripts/register_agent.py:31

🔗

中危外部 URL 外部 URL

https://ethereum-sepolia-rpc.publicnode.com

scripts/register_agent.py:32

🔗

中危外部 URL 外部 URL

https://polygon-rpc.com

scripts/register_agent.py:33

🔗

中危外部 URL 外部 URL

https://rpc-amoy.polygon.technology

scripts/register_agent.py:34

🔗

中危外部 URL 外部 URL

https://bsc-dataseed.binance.org

scripts/register_agent.py:35

🔗

中危外部 URL 外部 URL

https://data-seed-prebsc-1-s1.binance.org:8545

scripts/register_agent.py:36

🔗

中危外部 URL 外部 URL

https://rpc.monad.xyz

scripts/register_agent.py:37

🔗

中危外部 URL 外部 URL

https://testnet-rpc.monad.xyz

scripts/register_agent.py:38

🔗

中危外部 URL 外部 URL

https://api.devnet.solana.com

scripts/register_agent.py:292

🔗

中危外部 URL 外部 URL

https://api.mainnet-beta.solana.com

scripts/register_agent.py:292

🔗

中危外部 URL 外部 URL

https://api.x402layer.cc/.well-known/jwks.json

scripts/verify_webhook_payment.py:31

目录结构

43 文件 · 221.9 KB · 6980 行

Python 28f · 4817L Markdown 13f · 1861L JavaScript 1f · 286L Text 1f · 16L

├─ ▾ 📁 references

│ ├─ 📝 agent-registry-reputation.md Markdown 154L · 4.5 KB

│ ├─ 📝 agentic-endpoints.md Markdown 94L · 2.3 KB

│ ├─ 📝 agentkit-benefits.md Markdown 87L · 2.6 KB

│ ├─ 📝 credit-based.md Markdown 78L · 1.7 KB

│ ├─ 📝 marketplace.md Markdown 48L · 1.2 KB

│ ├─ 📝 mcp-control-plane.md Markdown 129L · 3.3 KB

│ ├─ 📝 openwallet-ows.md Markdown 123L · 3.5 KB

│ ├─ 📝 pay-per-request.md Markdown 214L · 6.1 KB

│ ├─ 📝 payment-signing.md Markdown 88L · 2.3 KB

│ ├─ 📝 payments-integration.md Markdown 174L · 4.8 KB

│ ├─ 📝 webhooks-verification.md Markdown 79L · 1.8 KB

│ └─ 📝 xmtp-support.md Markdown 97L · 2.8 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 agentkit_support.py Python 153L · 5.4 KB

│ ├─ 🐍 awal_bridge.py Python 154L · 4.6 KB

│ ├─ 🐍 awal_cli.py Python 106L · 3.4 KB

│ ├─ 🐍 check_credits.py Python 76L · 1.7 KB

│ ├─ 🐍 consume_credits.py Python 80L · 2.3 KB

│ ├─ 🐍 consume_product.py Python 333L · 10.3 KB

│ ├─ 🐍 create_endpoint.py Python 306L · 11.5 KB

│ ├─ 🐍 discover_marketplace.py Python 157L · 5.0 KB

│ ├─ 🐍 erc8004_wallet_client.py Python 102L · 2.9 KB

│ ├─ 🐍 list_agents.py Python 82L · 2.4 KB

│ ├─ 🐍 list_my_endpoints.py Python 73L · 2.3 KB

│ ├─ 🐍 list_on_marketplace.py Python 164L · 5.3 KB

│ ├─ 🐍 manage_endpoint.py Python 255L · 8.8 KB

│ ├─ 🐍 manage_webhook.py Python 129L · 4.0 KB

│ ├─ 🐍 network_selection.py Python 65L · 2.2 KB

│ ├─ 🐍 ows_cli.py Python 166L · 6.1 KB

│ ├─ 🐍 pay_base.py Python 224L · 7.6 KB

│ ├─ 🐍 pay_solana.py Python 88L · 2.7 KB

│ ├─ 🐍 recharge_credits.py Python 163L · 4.9 KB

│ ├─ 🐍 register_agent.py Python 434L · 14.6 KB

│ ├─ 🐍 solana_signing.py Python 325L · 10.7 KB

│ ├─ 🐍 submit_feedback.py Python 136L · 4.0 KB

│ ├─ 🐍 support_auth.py Python 104L · 2.8 KB

│ ├─ 🐍 support_threads.py Python 183L · 6.5 KB

│ ├─ 🐍 topup_endpoint.py Python 139L · 3.8 KB

│ ├─ 🐍 update_agent.py Python 190L · 7.1 KB

│ ├─ 🐍 verify_webhook_payment.py Python 250L · 7.9 KB

│ ├─ 🐍 wallet_signing.py Python 180L · 5.8 KB

│ └─ 📜 xmtp_support.mjs JavaScript 286L · 8.7 KB

├─ 📄 requirements.txt Text 16L · 355 B

└─ 📝 SKILL.md Markdown 496L · 19.5 KB

依赖分析 6 项

包名	版本	来源	已知漏洞	备注
`eth-account`	`>=0.10.0`	pip	否	Version not pinned
`web3`	`>=6.0.0`	pip	否	Version not pinned
`requests`	`>=2.28.0`	pip	否	Version not pinned
`pyjwt`	`>=2.8.0`	pip	否	Version not pinned
`cryptography`	`>=42.0.0`	pip	否	Version not pinned
`solders`	`>=0.20.0`	pip	否	Version not pinned

安全亮点

✓ Input validation in awal_bridge.py rejects shell metacharacters (;&|`$()<>!)

✓ Path traversal protection in consume_product.py using os.path.basename()

✓ Timing-safe HMAC comparison in verify_webhook_payment.py (hmac.compare_digest)

✓ Explicit documentation that .env files are not auto-loaded

✓ No shell=True in subprocess calls - uses list-based arguments

✓ Clear documentation of least-privilege credential requirements

✓ Subprocess commands built from validated inputs only

✓ All network requests go to documented x402 API endpoints

✓ No base64 piping into bash or eval patterns

✓ No credential exfiltration or data theft patterns

✓ Proper wallet signing for blockchain transactions (legitimate crypto operations)