中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:2 days ago Rescan
5 /100
x402-layer
x402 Web3 支付层技能,支持 Base/Ethereum/Polygon/BSC/Monad/Solana 网络的 USDC 支付、端点部署、市场管理和 ERC-8004 代理注册
x402-layer 技能实现了一个完整的 Web3 支付层,用于 API 付费访问、端点部署、市场管理和 ERC-8004 代理注册。所有声称的功能都有对应的代码实现,未发现文档-行为差异或隐藏的敏感操作。密钥处理通过环境变量而非文件读取,符合加密货币工具的安全实践。
Skill Namex402-layer
Duration45.8s
Enginepi
Safe to install
该技能可安全使用。部署时需确保环境变量(PRIVATE_KEY, SOLANA_SECRET_KEY 等)通过安全渠道注入,避免硬编码或日志输出。

Findings 3 items

Severity Finding Location
Low
依赖包无版本锁定
requirements.txt 中 eth-account, web3, requests, pyjwt, solders 等依赖使用 >= 最低版本约束而非固定版本,可能引入包含恶意代码的依赖版本
eth-account>=0.10.0
web3>=6.0.0
→ 建议使用 pip-compile 或类似工具生成锁定的 requirements.txt
 requirements.txt:1
Info
私钥通过环境变量注入
PRIVATE_KEY 和 SOLANA_SECRET_KEY 通过 os.getenv 读取,虽是标准实践但需确保运行环境和进程列表不被恶意访问
private_key = os.getenv('PRIVATE_KEY')
→ 确保容器/进程安全,避免日志输出敏感凭证
 scripts/wallet_signing.py:129
Info
AWAL/OWS 子进程调用有安全验证
awal_bridge.py 实现了 _validate_safe_string() 和 _validate_env_token() 函数,验证输入不含 shell 危险字符
_SHELL_DANGEROUS_CHARS = set(';&|`$\'<>()!\n\r')
→ 验证逻辑完善,建议保持警惕
 scripts/awal_bridge.py:19
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned 脚本需要写入配置和临时文件
Network READ READ ✓ Aligned 所有网络请求仅访问 x402layer.cc 官方 API
Shell WRITE WRITE ✓ Aligned 仅调用 awal/ows 已知 CLI 工具,有输入验证(awal_bridge.py:19-22)
Environment READ READ ✓ Aligned 读取 PRIVATE_KEY, WALLET_ADDRESS 等,无遍历搜索敏感关键字
45 findings
🔗
Medium External URL 外部 URL
https://studio.x402layer.cc/docs/agentic-access/openclaw-skill
SKILL.md:23
🔗
Medium External URL 外部 URL
https://studio.x402layer.cc
SKILL.md:27
🔗
Medium External URL 外部 URL
https://api.example.com
SKILL.md:199
🔗
Medium External URL 外部 URL
https://my-server.com/webhook
SKILL.md:202
🔗
Medium External URL 外部 URL
https://api.x402layer.cc/e/weather-data
SKILL.md:215
🔗
Medium External URL 外部 URL
https://api.example.com/agent
SKILL.md:336
🔗
Medium External URL 外部 URL
https://api.x402layer.cc
SKILL.md:409
🔗
Medium External URL 外部 URL
https://api.x402layer.cc/e/
SKILL.md:455
🔗
Medium External URL 外部 URL
https://api.x402layer.cc/api/marketplace
SKILL.md:456
🔗
Medium External URL 外部 URL
https://api.x402layer.cc/api/credits/*
SKILL.md:457
🔗
Medium External URL 外部 URL
https://api.x402layer.cc/agent/*
SKILL.md:458
🔗
Medium External URL 外部 URL
https://mcp.x402layer.cc/mcp
SKILL.md:459
🔗
Medium External URL 外部 URL
https://studio.x402layer.cc/docs/agentic-access/mcp-server
SKILL.md:466
🔗
Medium External URL 外部 URL
https://studio.x402layer.cc/docs/developer/sdk-receipts
SKILL.md:467
🔗
Medium External URL 外部 URL
https://api.example.com/fallback
references/agent-registry-reputation.md:89
🔗
Medium External URL 外部 URL
https://api.x402layer.cc/agent/endpoints
references/agentic-endpoints.md:12
🔗
Medium External URL 外部 URL
https://api.x402layer.cc/api/credits/balance?endpoint=
references/credit-based.md:16
🔗
Medium External URL 外部 URL
https://studio.x402layer.cc/pay/credits/
references/credit-based.md:35
🔗
Medium External URL 外部 URL
https://api.x402layer.cc/e/weather-api
references/marketplace.md:32
🔗
Medium External URL 外部 URL
https://api.x402layer.cc/e/my-endpoint
references/pay-per-request.md:18
💰
Medium Wallet Address 加密货币钱包地址
0xCD95802A4aBddD75A5750DD2d6935007eF268275
references/pay-per-request.md:75
💰
Medium Wallet Address 加密货币钱包地址
0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913
references/pay-per-request.md:76
🔗
Medium External URL 外部 URL
https://studio.x402layer.cc/pay/
references/payments-integration.md:64
🔗
Medium External URL 外部 URL
https://studio.x402layer.cc/pay/request/
references/payments-integration.md:65
🔗
Medium External URL 外部 URL
https://docs.xmtp.org/agents/get-started/build-an-agent
references/xmtp-support.md:81
🔗
Medium External URL 外部 URL
https://docs.xmtp.org/chat-apps/core-messaging/manage-inboxes
references/xmtp-support.md:82
🔗
Medium External URL 外部 URL
https://docs.xmtp.org/agents/build-agents/local-database
references/xmtp-support.md:83
🔗
Medium External URL 外部 URL
https://api.x402layer.cc/e/gifu
scripts/awal_bridge.py:97
🔗
Medium External URL 外部 URL
https://api.x402layer.cc/e/gifu?action=purchase
scripts/awal_cli.py:50
🔗
Medium External URL 外部 URL
https://studio.x402layer.cc/pay/pussio
scripts/consume_product.py:13
🔗
Medium External URL 外部 URL
https://api.x402layer.cc/storage/product/abc123-uuid
scripts/consume_product.py:14
🔗
Medium External URL 外部 URL
https://api.x402layer.cc/storage/product/
scripts/consume_product.py:69
🔗
Medium External URL 外部 URL
https://mainnet.base.org
scripts/register_agent.py:29
🔗
Medium External URL 外部 URL
https://sepolia.base.org
scripts/register_agent.py:30
🔗
Medium External URL 外部 URL
https://cloudflare-eth.com
scripts/register_agent.py:31
🔗
Medium External URL 外部 URL
https://ethereum-sepolia-rpc.publicnode.com
scripts/register_agent.py:32
🔗
Medium External URL 外部 URL
https://polygon-rpc.com
scripts/register_agent.py:33
🔗
Medium External URL 外部 URL
https://rpc-amoy.polygon.technology
scripts/register_agent.py:34
🔗
Medium External URL 外部 URL
https://bsc-dataseed.binance.org
scripts/register_agent.py:35
🔗
Medium External URL 外部 URL
https://data-seed-prebsc-1-s1.binance.org:8545
scripts/register_agent.py:36
🔗
Medium External URL 外部 URL
https://rpc.monad.xyz
scripts/register_agent.py:37
🔗
Medium External URL 外部 URL
https://testnet-rpc.monad.xyz
scripts/register_agent.py:38
🔗
Medium External URL 外部 URL
https://api.devnet.solana.com
scripts/register_agent.py:292
🔗
Medium External URL 外部 URL
https://api.mainnet-beta.solana.com
scripts/register_agent.py:292
🔗
Medium External URL 外部 URL
https://api.x402layer.cc/.well-known/jwks.json
scripts/verify_webhook_payment.py:31

File Tree

43 files · 220.6 KB · 6961 lines
Python 28f · 4817L Markdown 13f · 1842L JavaScript 1f · 286L Text 1f · 16L
├─ 📁 references
│ ├─ 📝 agent-registry-reputation.md Markdown 154L · 4.5 KB
│ ├─ 📝 agentic-endpoints.md Markdown 94L · 2.3 KB
│ ├─ 📝 agentkit-benefits.md Markdown 87L · 2.6 KB
│ ├─ 📝 credit-based.md Markdown 78L · 1.7 KB
│ ├─ 📝 marketplace.md Markdown 48L · 1.2 KB
│ ├─ 📝 mcp-control-plane.md Markdown 129L · 3.3 KB
│ ├─ 📝 openwallet-ows.md Markdown 123L · 3.5 KB
│ ├─ 📝 pay-per-request.md Markdown 214L · 6.1 KB
│ ├─ 📝 payment-signing.md Markdown 88L · 2.3 KB
│ ├─ 📝 payments-integration.md Markdown 174L · 4.8 KB
│ ├─ 📝 webhooks-verification.md Markdown 79L · 1.8 KB
│ └─ 📝 xmtp-support.md Markdown 97L · 2.8 KB
├─ 📁 scripts
│ ├─ 🐍 agentkit_support.py Python 153L · 5.4 KB
│ ├─ 🐍 awal_bridge.py Python 154L · 4.6 KB
│ ├─ 🐍 awal_cli.py Python 106L · 3.4 KB
│ ├─ 🐍 check_credits.py Python 76L · 1.7 KB
│ ├─ 🐍 consume_credits.py Python 80L · 2.3 KB
│ ├─ 🐍 consume_product.py Python 333L · 10.3 KB
│ ├─ 🐍 create_endpoint.py Python 306L · 11.5 KB
│ ├─ 🐍 discover_marketplace.py Python 157L · 5.0 KB
│ ├─ 🐍 erc8004_wallet_client.py Python 102L · 2.9 KB
│ ├─ 🐍 list_agents.py Python 82L · 2.4 KB
│ ├─ 🐍 list_my_endpoints.py Python 73L · 2.3 KB
│ ├─ 🐍 list_on_marketplace.py Python 164L · 5.3 KB
│ ├─ 🐍 manage_endpoint.py Python 255L · 8.8 KB
│ ├─ 🐍 manage_webhook.py Python 129L · 4.0 KB
│ ├─ 🐍 network_selection.py Python 65L · 2.2 KB
│ ├─ 🐍 ows_cli.py Python 166L · 6.1 KB
│ ├─ 🐍 pay_base.py Python 224L · 7.6 KB
│ ├─ 🐍 pay_solana.py Python 88L · 2.7 KB
│ ├─ 🐍 recharge_credits.py Python 163L · 4.9 KB
│ ├─ 🐍 register_agent.py Python 434L · 14.6 KB
│ ├─ 🐍 solana_signing.py Python 325L · 10.7 KB
│ ├─ 🐍 submit_feedback.py Python 136L · 4.0 KB
│ ├─ 🐍 support_auth.py Python 104L · 2.8 KB
│ ├─ 🐍 support_threads.py Python 183L · 6.5 KB
│ ├─ 🐍 topup_endpoint.py Python 139L · 3.8 KB
│ ├─ 🐍 update_agent.py Python 190L · 7.1 KB
│ ├─ 🐍 verify_webhook_payment.py Python 250L · 7.9 KB
│ ├─ 🐍 wallet_signing.py Python 180L · 5.8 KB
│ └─ 📜 xmtp_support.mjs JavaScript 286L · 8.7 KB
├─ 📄 requirements.txt Text 16L · 355 B
└─ 📝 SKILL.md Markdown 477L · 18.2 KB

Dependencies 6 items

PackageVersionSourceKnown VulnsNotes
eth-account >=0.10.0 pip No 无版本锁定
web3 >=6.0.0 pip No 无版本锁定
requests >=2.28.0 pip No 无版本锁定
pyjwt >=2.8.0 pip No 无版本锁定
solders >=0.20.0 pip No 无版本锁定
viem * npm No xmtp_support.mjs 使用

Security Positives

✓ 所有网络请求仅指向官方 API 端点 (api.x402layer.cc, studio.x402layer.cc)
✓ 未发现隐藏的数据外传或凭证收割行为
✓ 签名操作仅限于本地钱包,不涉及私钥导出或网络传输
✓ AWAL/OWS 子进程调用有输入验证,防御 shell 注入
✓ 无 base64|bash 管道、裸 IP 请求、eval(atob(...)) 等高危模式
✓ 无遍历 os.environ 匹配敏感关键字的行为
✓ 无远程脚本下载执行行为
✓ 代码结构清晰,文档与实现一致