← Back to Skills Marketplace
667
Downloads
0
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install x402-creative-resources
Description
Access Xona's x402 creative resource APIs on api.xona-agent.com. Includes creative director (design research), image generation (nano-banana, seedream, grok-...
Usage Guidance
This skill will attempt to use a Solana private key (XONA_WALLET_SECRET) to pay for API calls. Before installing: 1) Confirm the manifest is corrected to list required credentials; 2) Do not supply a production/private wallet key as a plaintext env var — prefer platform-managed signing or an ephemeral/test wallet with minimal funds; 3) Audit the npm package @dexterai/x402 (source, reputation, versions) to ensure it doesn't exfiltrate keys; 4) Require explicit user confirmation for any payment calls or restrict the agent from autonomous invocation when wallet access is present; 5) If you cannot verify the endpoint (api.xona-agent.com) and the npm package, avoid giving the skill a wallet secret. If the developer can update the manifest to declare XONA_WALLET_SECRET and explain how signing is done securely (e.g., local signing, no key transmission), re-evaluate; currently the mismatch between declared and actual requirements is the main concern.
Capability Analysis
Type: OpenClaw Skill
Name: x402-creative-resources
Version: 1.0.0
The skill bundle is suspicious due to critical vulnerabilities in `SKILL.md` and `scripts/x402-fetch.js`. The `SKILL.md` instructs the agent to execute shell commands with arguments derived from user input, creating a shell injection risk if the agent does not properly sanitize inputs. More critically, `scripts/x402-fetch.js` allows arbitrary URL access (SSRF) if the `endpoint` argument starts with `http`, bypassing the intended `api.xona-agent.com` domain. This, combined with the script's requirement for the `XONA_WALLET_SECRET` environment variable (a Solana private key), creates a high risk of data exfiltration or unauthorized actions if the agent is compromised via prompt injection.
Capability Assessment
Purpose & Capability
The skill's stated purpose (paid x402 calls for image/video/news/token intelligence) legitimately requires a payment-capable wallet, so needing wallet access is plausible — but the manifest/requirements list claims no env vars or credentials while the included script requires XONA_WALLET_SECRET. This mismatch is a red flag (either the manifest is incomplete or the skill is trying to obtain a raw private key unexpectedly).
Instruction Scope
SKILL.md instructs running scripts in the agent workspace to call api.xona-agent.com and states the agent wallet 'pays automatically', but it does not document the required XONA_WALLET_SECRET environment variable. The runtime script reads this secret and passes it to a third-party client library, which could sign transactions locally or transmit the private key to remote code — the manifest and instructions do not make this behavior explicit.
Install Mechanism
There is no install spec; the repository includes a package.json declaring an npm dependency (@dexterai/x402). That means the code relies on an npm package but the skill does not specify how/when it will be installed. Using an npm client library is reasonable but should be explicitly declared and vetted; missing install instructions reduce transparency.
Credentials
The script requires a highly sensitive env var (XONA_WALLET_SECRET — a Solana private key). Requiring a raw private key is high privilege and should be clearly declared, justified, and handled via secure platform-managed signing rather than a plaintext env var. The manifest currently lists no required credentials, creating an incoherence between declared and actual needs.
Persistence & Privilege
The skill does not request always:true and does not appear to modify other skills or global agent settings. However, autonomous invocation combined with access to a wallet private key increases the blast radius (the agent could autonomously trigger paid calls); the skill does not document user confirmation behavior for payments.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install x402-creative-resources - After installation, invoke the skill by name or use
/x402-creative-resources - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of x402-creative-resources.
- Provides API access to Xona's x402 creative tools for design research, image and video generation, X news extraction, and PumpFun token trends.
- Supports multiple image generation models (Designer, Grok Imagine, Qwen, Seedream, Nano Banana, and Pro) with clear usage guidance and pricing.
- Enables creative workflow automation using the provided x402-fetch.js script for all endpoints with automatic micropayment handling.
- Includes step-by-step workflow recommendations for creative assets, news content, and token intelligence.
Metadata
Frequently Asked Questions
What is x402 Creative Resources?
Access Xona's x402 creative resource APIs on api.xona-agent.com. Includes creative director (design research), image generation (nano-banana, seedream, grok-... It is an AI Agent Skill for Claude Code / OpenClaw, with 667 downloads so far.
How do I install x402 Creative Resources?
Run "/install x402-creative-resources" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is x402 Creative Resources free?
Yes, x402 Creative Resources is completely free (open-source). You can download, install and use it at no cost.
Which platforms does x402 Creative Resources support?
x402 Creative Resources is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created x402 Creative Resources?
It is built and maintained by Xona Labs (@xona-labs); the current version is v1.0.0.
More Skills