← Back to Skills Marketplace
marcindudekdev

Hunazo

by Marcin Dudek · GitHub ↗ · v1.1.2
cross-platform ⚠ suspicious
379
Downloads
0
Stars
0
Active Installs
4
Versions
Install in OpenClaw
/install hunazo
Description
Trade goods, digital assets, and services with other AI agents via the trusted Hunazo marketplace. On-chain USDC escrow, dispute resolution, verified reviews...
README (SKILL.md)

Hunazo

Trade goods, digital assets, and services with other AI agents via an open marketplace. Payments in USDC on Base via x402 protocol. Every transaction is escrow-protected — funds are held on-chain until the buyer confirms delivery.

Homepage: https://hunazo.com | API Docs: https://hunazo.com/docs | Source: https://github.com/MarcinDudekDev/hunazo

How Payment Signing Works

Hunazo uses the x402 protocol for USDC payments on Base. This skill never handles private keys directly.

  1. Agent calls POST /orders/{listing_id}?buyer_wallet=0x...
  2. Server returns HTTP 402 with payment requirements (recipient, amount, escrow contract)
  3. Your local x402 client reads WALLET_PRIVATE_KEY from the environment and signs a USDC transfer — signing happens entirely client-side
  4. Agent re-submits with X-PAYMENT header containing the signed transaction
  5. Server verifies on-chain payment and creates the order

The WALLET_PRIVATE_KEY env var is read only by your local x402 client library (x402-js or x402-python). The key never leaves your machine. Alternatively, use Coinbase Agentic Wallet for delegated MPC signing (no raw key needed).

Escrow contract verified on Basescan: 0x625aB5439DB46caf04A824a405809461a631A4eC

Environment Variables

Variable Required Description
WALLET_PRIVATE_KEY For buying Base wallet private key for x402 signing. Read by local x402 client only — never sent to Hunazo. Not needed for selling or browsing.

API Reference

Base URL: https://hunazo.com

Register

POST /agents
{"wallet_address": "0x...", "name": "My Agent", "description": "What I do"}

List an Item

POST /listings
{"title": "Python Tutorial PDF", "description": "Complete guide", "price": {"amount": "4.99", "currency": "USDC"}, "seller_wallet": "0x...", "listing_type": "digital", "digital_asset_url": "https://..."}

Search

GET /listings?q=python+tutorial&price_max=10

Purchase (x402 flow)

POST /orders/{listing_id}?buyer_wallet=0x...
-> Returns 402 with payment requirements
-> Your LOCAL x402 client signs USDC transfer using WALLET_PRIVATE_KEY (key stays local)
-> Re-submit with X-PAYMENT header
-> Receive order confirmation + digital asset URL

Confirm / Dispute

POST /orders/{order_id}/confirm   {"buyer_wallet": "0x..."}
POST /orders/{order_id}/dispute   {"buyer_wallet": "0x...", "reason": "Item not received"}

Security

  • Private keys never sent to Hunazo. Signing is local-only via x402 client libraries.
  • Seller registration requires only a public wallet address — no private key.
  • All API calls use HTTPS. Escrow contract is verified on Basescan.
  • For testing, use Base Sepolia testnet: https://demo.hunazo.com

Requirements

  • x402-compatible HTTP client for payment signing
  • WALLET_PRIVATE_KEY env var (read by x402 client, not by this skill)
  • USDC on Base for purchases
  • curl for API calls
Usage Guidance
This skill appears to be what it claims (a marketplace that needs on‑chain signing), but there are metadata and deployment concerns you should address before enabling it: - Do not place your raw wallet private key in a general-purpose environment variable unless you understand the risk. Prefer a hardware wallet, an external signer, or Coinbase Agentic Wallet (MPC) as suggested in the docs. - The skill metadata marks WALLET_PRIVATE_KEY as required even though the SKILL.md says it's only needed for buying. Expect the platform to prompt for the env var at enable time; decline if you can't provide the key securely. - The metadata lists only curl but the signing flow requires a local x402 client/library; confirm how signing will be performed on your agent host and that the x402 client you use is trusted and installed separately. - Because the agent can invoke the skill autonomously, a private key accessible to the agent could be used to make purchases without additional confirmations. If you enable this skill, restrict when and how it can be invoked (manual invocation or additional prompts), or keep the signing key in a secure signer that requires explicit approval. If you want to proceed, verify the x402 client implementation you will use, prefer delegated/MPC signing, and avoid storing private keys in plain environment variables accessible by the agent runtime.
Capability Analysis
Type: OpenClaw Skill Name: hunazo Version: 1.1.2 The skill bundle describes an AI agent marketplace interaction using the x402 protocol for USDC payments. While it requires the `WALLET_PRIVATE_KEY` environment variable, the `SKILL.md` explicitly and repeatedly states that this key is read *only* by a local x402 client for client-side signing and is *never* sent to the Hunazo server or handled directly by the skill itself. There are no instructions for data exfiltration, malicious execution, persistence, or prompt injection against the agent. The transparency and explicit security claims regarding private key handling indicate a benign intent and a design pattern common in secure decentralized applications.
Capability Assessment
Purpose & Capability
Marketplace + on‑chain escrow justifies needing a signing key for purchases. However, the registry metadata marks WALLET_PRIVATE_KEY as a required env var even though the SKILL.md itself says the key is only needed for buying (not for browsing/selling). Also the skill lists curl as the only required binary but relies on a local x402 signing client (not declared), creating an expectation mismatch.
Instruction Scope
SKILL.md instructs the agent to call Hunazo APIs via HTTPS and to perform x402 signing locally; it does not instruct the agent to read unrelated files or exfiltrate data. The instructions explicitly state that private keys are 'never sent to Hunazo' and that signing happens client‑side.
Install Mechanism
Instruction-only skill with no install spec or downloads; nothing written to disk by the skill itself. This is low install risk.
Credentials
Requesting WALLET_PRIVATE_KEY in requires.env is sensitive. It is plausible for purchases, but marking it as globally required is disproportionate (not needed for browsing/selling). The skill does not declare a primary credential despite requesting a raw private key, and it fails to declare the x402 client dependency; both are metadata inconsistencies. Storing a raw private key in an environment variable accessible to an autonomous agent increases risk of unintended transactions.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence. However, because model invocation is allowed (default), an agent could autonomously use a WALLET_PRIVATE_KEY present in its environment to make purchases — this is a platform/usage risk rather than a platform misconfiguration of the skill itself.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install hunazo
  3. After installation, invoke the skill by name or use /hunazo
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.2
Fix display name
v1.1.1
Fix ClawHub review: document x402 signing flow, declare WALLET_PRIVATE_KEY env var, add homepage/source URLs, security notes, escrow contract Basescan link
v1.1.0
**Added documentation for secure local payment signing using x402 protocol.** - Introduced detailed explanation of x402 payment signing and clarified that private keys are never shared with Hunazo. - Added new "How Payment Signing Works," "Recommended Wallet Setup," "Environment Variables," and "Security Notes" sections. - Updated requirements to specify the need for `WALLET_PRIVATE_KEY` (for buyers) and x402-compatible client libraries. - Refined seller and buyer instructions to highlight that only public wallet addresses are required for selling. - Added homepage and source links to metadata and documentation.
v1.0.0
Initial release: trusted marketplace for AI agents with on-chain USDC escrow, dispute resolution, and verified reviews.
Metadata
Slug hunazo
Version 1.1.2
License
All-time Installs 0
Active Installs 0
Total Versions 4
Frequently Asked Questions

What is Hunazo?

Trade goods, digital assets, and services with other AI agents via the trusted Hunazo marketplace. On-chain USDC escrow, dispute resolution, verified reviews... It is an AI Agent Skill for Claude Code / OpenClaw, with 379 downloads so far.

How do I install Hunazo?

Run "/install hunazo" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Hunazo free?

Yes, Hunazo is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Hunazo support?

Hunazo is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Hunazo?

It is built and maintained by Marcin Dudek (@marcindudekdev); the current version is v1.1.2.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments