x402-agent Security Report — Trusted | ClawSafe

5 /100

x402-agent

Auto-detect and pay x402 crypto paywalls for AI agents using EIP-3009 USDC transfers on Base network

Legitimate x402 crypto payment library for AI agents with no malicious behavior; all file I/O and crypto operations are fully documented and align with the skill's stated purpose.

Skill Namex402-agent

Duration70.9s

Enginepi

✓

Safe to install

Approve for use. The skill is a standard crypto-payment interceptor with proper policy controls, spending limits, and domain filtering. No action needed.

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`WRITE`	✓ Aligned	SKILL.md:122 logFilePath + spendFilePath are declared as config options; both wr…
Network	`READ`	`READ`	✓ Aligned	HTTP requests to external x402 endpoints documented in SKILL.md:27-32 What Happe…
Shell	`NONE`	`NONE`	—	No shell/exec calls in production source. bundle.sh only runs during build (claw…
Environment	`READ`	`READ`	✓ Aligned	X402_WALLET_PRIVATE_KEY read documented in SKILL.md:44 metadata.openclaw.require…
Skill Invoke	`NONE`	`NONE`	—	No inter-skill invocation detected.
Clipboard	`NONE`	`NONE`	—	No clipboard access found.
Browser	`NONE`	`NONE`	—	No browser automation found.
Database	`NONE`	`NONE`	—	No database access found.

1 High 34 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="your-api-key-here"

clawmart/PUBLISHING.md:21

💰

Medium Wallet Address 加密货币钱包地址

0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913

README.md:27

🔗

Medium External URL 外部 URL

https://api.example.com/premium/data

README.md:33

🔗

Medium External URL 外部 URL

https://taraquinn.ai

SKILL.md:8

💰

Medium Wallet Address 加密货币钱包地址

0x036CbD53842c5426634e7929541eC2318f3dCF7e

SKILL.md:110

🔗

Medium External URL 外部 URL

https://api.example.com/premium/weather

SKILL.md:145

🔗

Medium External URL 外部 URL

https://api.example.com/premium

announcements/community-post.md:64

🔗

Medium External URL 外部 URL

https://www.shopclawmart.com/listings/x402-paywall-kit

announcements/community-post.md:88

🔗

Medium External URL 外部 URL

https://www.shopclawmart.com

clawmart/PUBLISHING.md:5

🔗

Medium External URL 外部 URL

https://www.shopclawmart.com/api/v1/listings

clawmart/PUBLISHING.md:23

🔗

Medium External URL 外部 URL

https://www.shopclawmart.com/api/v1/listings/$

clawmart/PUBLISHING.md:36

🔗

Medium External URL 外部 URL

https://faucet.circle.com

demo/README.md:23

🔗

Medium External URL 外部 URL

https://portal.cdp.coinbase.com/products/faucet

demo/README.md:24

🔗

Medium External URL 外部 URL

https://www.alchemy.com/faucets/base-sepolia

demo/README.md:27

🔗

Medium External URL 外部 URL

https://facilitator.cdp.coinbase.com

docs/PRD.md:199

💰

Medium Wallet Address 加密货币钱包地址

0x5b99070C84aB6297F2c1a25490c53eE483C8B499

docs/PRD.md:234

🔗

Medium External URL 外部 URL

https://x402.org

docs/PRD.md:746

🔗

Medium External URL 外部 URL

https://docs.cdp.coinbase.com/x402

docs/PRD.md:747

🔗

Medium External URL 外部 URL

https://www.quicknode.com/guides/x402

docs/PRD.md:748

🔗

Medium External URL 外部 URL

https://docs.openclaw.ai/tools/clawhub

docs/PRD.md:751

🔗

Medium External URL 外部 URL

https://snyk.io/blog/openclaw-skills-credential-leaks-research/

docs/PRD.md:752

🔗

Medium External URL 外部 URL

https://portal.cdp.coinbase.com

integration/README.md:32

🔗

Medium External URL 外部 URL

https://api.example.com/premium-data

packages/agent/README.md:32

💰

Medium Wallet Address 加密货币钱包地址

0x70997970C51812dc3A010C7d01b50e0d17dc79C8

packages/agent/src/__tests__/interceptor.test.ts:19

🔗

Medium External URL 外部 URL

https://custom-facilitator.example.com

packages/express/src/__tests__/middleware.test.ts:141

🔗

Medium External URL 外部 URL

https://x402.org/facilitator

packages/express/src/middleware.ts:35

🔗

Medium External URL 外部 URL

https://api.example.com/data

packages/shared/README.md:60

🔗

Medium External URL 外部 URL

https://taraquinn.ai/schemas/x402-policy.json

references/policy.example.json:2

🔗

Medium External URL 外部 URL

https://dashboard.stripe.com/products

taraquinn-integration/INTEGRATION.md:23

🔗

Medium External URL 外部 URL

https://www.npmjs.com/org/x402-kit

taraquinn-integration/product-card.tsx:118

🔗

Medium External URL 外部 URL

https://clawhub.ai/skills/x402-agent

taraquinn-integration/product.json:35

🔗

Medium External URL 外部 URL

https://taraquinn.ai/api/products/x402-paywall-kit/download

taraquinn-integration/use-x402-payment.ts:15

🔗

Medium External URL 外部 URL

https://clawhub.ai

x402-agent/PUBLISHING.md:47

📧

Info Email 邮箱地址

[email protected]

clawmart/listing.json:21

File Tree

66 files · 198.8 KB · 6078 lines

Markdown 19f · 2853L TypeScript 32f · 2808L JSON 13f · 353L Shell 1f · 54L JavaScript 1f · 10L

├─ ▾ 📁 announcements

│ ├─ 📝 community-post.md Markdown 93L · 2.6 KB

│ ├─ 📝 LAUNCH-CHECKLIST.md Markdown 58L · 1.9 KB

│ └─ 📝 tweets.md Markdown 126L · 2.9 KB

├─ ▾ 📁 clawmart

│ ├─ 🔧 bundle.sh Shell 54L · 1.5 KB

│ ├─ 📋 listing.json JSON 27L · 1.9 KB

│ └─ 📝 PUBLISHING.md Markdown 96L · 2.8 KB

├─ ▾ 📁 demo

│ ├─ 📜 agent.ts TypeScript 98L · 3.1 KB

│ ├─ 📝 README.md Markdown 131L · 3.8 KB

│ └─ 📜 server.ts TypeScript 79L · 2.4 KB

├─ ▾ 📁 docs

│ ├─ 📝 PRD.md Markdown 752L · 33.6 KB

│ └─ 📝 PROGRESS.md Markdown 78L · 9.2 KB

├─ ▾ 📁 integration

│ ├─ 📜 base-sepolia.test.ts TypeScript 121L · 4.0 KB

│ └─ 📝 README.md Markdown 60L · 2.3 KB

├─ ▾ 📁 packages

│ ├─ ▾ 📁 agent

│ │ ├─ ▾ 📁 src

│ │ │ ├─ ▾ 📁 __tests__

│ │ │ │ └─ 📜 interceptor.test.ts TypeScript 294L · 9.2 KB

│ │ │ ├─ 📜 index.ts TypeScript 16L · 650 B

│ │ │ └─ 📜 interceptor.ts TypeScript 215L · 6.0 KB

│ │ ├─ 📋 package.json JSON 49L · 1.2 KB

│ │ ├─ 📝 README.md Markdown 86L · 2.9 KB

│ │ ├─ 📋 tsconfig.json JSON 12L · 211 B

│ │ ├─ 📜 tsup.config.ts TypeScript 20L · 409 B

│ │ └─ 📜 vitest.config.ts TypeScript 8L · 142 B

│ ├─ ▾ 📁 express

│ │ ├─ ▾ 📁 src

│ │ │ ├─ ▾ 📁 __tests__

│ │ │ │ └─ 📜 middleware.test.ts TypeScript 256L · 7.2 KB

│ │ │ ├─ 📜 index.ts TypeScript 16L · 574 B

│ │ │ └─ 📜 middleware.ts TypeScript 183L · 5.4 KB

│ │ ├─ 📋 package.json JSON 52L · 1.3 KB

│ │ ├─ 📝 README.md Markdown 125L · 3.2 KB

│ │ ├─ 📋 tsconfig.json JSON 12L · 211 B

│ │ ├─ 📜 tsup.config.ts TypeScript 20L · 420 B

│ │ └─ 📜 vitest.config.ts TypeScript 8L · 144 B

│ └─ ▾ 📁 shared

│ ├─ ▾ 📁 src

│ │ ├─ ▾ 📁 __tests__

│ │ │ ├─ 📜 logger.test.ts TypeScript 147L · 4.2 KB

│ │ │ └─ 📜 policy.test.ts TypeScript 205L · 7.6 KB

│ │ ├─ ▾ 📁 logger

│ │ │ └─ 📜 index.ts TypeScript 55L · 1.4 KB

│ │ ├─ ▾ 📁 policy

│ │ │ └─ 📜 index.ts TypeScript 181L · 4.7 KB

│ │ ├─ ▾ 📁 types

│ │ │ └─ 📜 index.ts TypeScript 70L · 1.7 KB

│ │ └─ 📜 index.ts TypeScript 5L · 289 B

│ ├─ 📋 package.json JSON 75L · 1.8 KB

│ ├─ 📝 README.md Markdown 99L · 2.7 KB

│ ├─ 📋 tsconfig.json JSON 9L · 160 B

│ ├─ 📜 tsup.config.ts TypeScript 25L · 538 B

│ └─ 📜 vitest.config.ts TypeScript 8L · 143 B

├─ ▾ 📁 references

│ ├─ 📜 agent-setup.example.ts TypeScript 53L · 1.8 KB

│ └─ 📋 policy.example.json JSON 12L · 422 B

├─ ▾ 📁 taraquinn-integration

│ ├─ 📝 INTEGRATION.md Markdown 121L · 3.7 KB

│ ├─ 📜 pay-with-usdc-button.tsx TypeScript 130L · 3.6 KB

│ ├─ 📜 product-card.tsx TypeScript 122L · 3.7 KB

│ ├─ 📋 product.json JSON 37L · 1.3 KB

│ ├─ 📝 SELF-INTEGRATION.md Markdown 195L · 5.9 KB

│ ├─ 📜 stripe-checkout.ts TypeScript 103L · 3.0 KB

│ ├─ 📜 usdc-paywall.ts TypeScript 58L · 1.9 KB

│ ├─ 📜 use-x402-payment.ts TypeScript 138L · 4.2 KB

│ └─ 📜 wagmi-config.ts TypeScript 38L · 1.1 KB

├─ ▾ 📁 x402-agent

│ ├─ ▾ 📁 references

│ │ ├─ 📜 agent-setup.example.ts TypeScript 53L · 1.8 KB

│ │ └─ 📋 policy.example.json JSON 12L · 422 B

│ ├─ 📝 PUBLISHING.md Markdown 70L · 1.6 KB

│ └─ 📝 SKILL.md Markdown 206L · 7.0 KB

├─ ▾ 📁 x402-agent-free

│ ├─ ▾ 📁 references

│ │ └─ 📜 basic-setup.example.ts TypeScript 67L · 1.8 KB

│ ├─ 📝 PUBLISHING.md Markdown 67L · 1.6 KB

│ └─ 📝 SKILL.md Markdown 142L · 4.8 KB

├─ 📜 eslint.config.mjs JavaScript 10L · 236 B

├─ 📋 package.json JSON 33L · 823 B

├─ 📝 README.md Markdown 142L · 4.1 KB

├─ 📝 SKILL.md Markdown 206L · 7.0 KB

├─ 📋 tsconfig.base.json JSON 15L · 341 B

├─ 📋 tsconfig.json JSON 8L · 145 B

├─ 📜 vitest.config.ts TypeScript 8L · 153 B

└─ 📜 vitest.integration.config.ts TypeScript 8L · 165 B

Dependencies 5 items

Package	Version	Source	Known Vulns	Notes
`@x402/core`	`^2.5.0`	npm	No	Upstream x402 protocol library
`@x402/evm`	`^2.5.0`	npm	No	EVM EIP-3009 signing scheme
`@x402/fetch`	`^2.5.0`	npm	No	Upstream fetch wrapper
`viem`	`^2.0.0`	npm	No	Ethereum library for wallet/signing
`@x402/express`	`^2.5.0`	npm	No	Express middleware for x402 servers

Security Positives

✓ No base64, obfuscation, or eval() patterns found anywhere in the codebase

✓ No credential exfiltration or suspicious outbound network calls detected

✓ Private key access is limited to local EIP-3009 signing via viem — key never leaves the process or appears in logs

✓ Comprehensive policy engine with per-request limits, daily spend caps, domain allow/deny lists, and human-approval gates

✓ Payment logging is append-only to user-specified paths with no default paths in sensitive locations

✓ PRD.md contains explicit security requirements including 'Never log private keys' and 'env vars for all secrets'

✓ Unit tests cover policy evaluation, spend tracking, and payment flow with 38 tests in interceptor.test.ts

✓ Dependencies use pinned major versions (^2.5.0 for @x402/*, ^2.0.0 for viem)

✓ clawmart/PUBLISHING.md hardcoded API key is a documented placeholder ('your-api-key-here') with no actual credential value

Scan Report

File Tree

Dependencies 5 items

Security Positives