← Back to Skills Marketplace
x402 Private Web Tools
by
kodos-vibe
· GitHub ↗
· v1.0.0
710
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install x402-private-web-tools
Description
Private web tools for AI agents — search, scrape, and screenshot the web with x402 micropayments (USDC on Base). Zero logging, no API keys, no accounts. Pay...
Usage Guidance
This appears to be an instruction-only client that installs npm packages and requires you to supply an EVM private key to pay per request. Before installing: (1) verify the npm packages (@x402/* and viem) and the GitHub repo referenced for the MCP server are legitimate and reviewed; (2) prefer saving the private key to a file with restrictive permissions (600) rather than exporting it into your shell long-term; (3) use an ephemeral wallet funded with minimal USDC/ETH (so a compromised key has limited impact); (4) note the wallet-gen script mentions Base Sepolia (testnet) while the README says Base mainnet — confirm which network is intended before sending funds; (5) be aware npm install will pull code from the registry into your home dir (supply-chain risk). If you are uncomfortable with those risks or cannot verify the package sources, do not install or fund a real mainnet wallet.
Capability Analysis
Type: OpenClaw Skill
Name: x402-private-web-tools
Version: 1.0.0
The skill is classified as suspicious due to the powerful capabilities of the `scripts/x402-fetch.mjs` script, which allows making arbitrary HTTP requests to user-provided URLs and saving the response body to arbitrary file paths via the `--save` option. While these features are necessary for the skill's stated purpose (web scraping, screenshots), they represent a significant attack surface for prompt injection against the AI agent. A malicious prompt could instruct the agent to fetch content from an attacker-controlled server and save it to a sensitive system file, potentially leading to arbitrary file write vulnerabilities or data exfiltration if combined with other techniques. There is no clear evidence of intentional malicious behavior (e.g., hardcoded exfiltration, backdoors), but the broad capabilities pose a high risk of misuse.
Capability Assessment
Purpose & Capability
Name/description, scripts, and CLI all align: the tool pays for web search/scrape/screenshot via an x402 payment SDK using an EVM wallet. However wallet-gen.mjs prints and documents Base Sepolia (testnet) while SKILL.md repeatedly instructs funding on Base mainnet — this mismatch is confusing and could cause users to fund the wrong chain.
Instruction Scope
Runtime instructions are narrowly scoped to installing the client, generating a wallet, and making paid requests to the declared gateway (https://search.reversesandbox.com). The scripts only read the wallet key (env var or key file) and perform network requests to the gateway; they do not access unrelated system paths or secrets.
Install Mechanism
setup.sh runs npm install in the user's ~/.x402-client directory and writes package.json, pulling three packages (@x402/fetch, @x402/evm, viem) from the npm registry. This is a standard but non-trivial supply-chain action: it will fetch and install third-party code into your home directory. The packages are not verified here and the skill includes no pinned source/release URLs.
Credentials
The skill requires an EVM private key to sign payments and instructs users to export X402_PRIVATE_KEY or store a key file. That is necessary for payments but is highly sensitive. The metadata declared no required env vars even though the scripts use X402_PRIVATE_KEY and X402_KEY_FILE. Also wallet-gen prints private keys to stdout (unless saved) which can leak the secret if logs are captured — the mismatch between 'mainnet' vs 'sepolia' in docs increases risk of mis-funding.
Persistence & Privilege
The skill is not always-on and does not request elevated system-wide privileges. It installs files into ~/.x402-client (its own directory) and does not modify other skills or global agent settings. Autonomous invocation is allowed by default (normal).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install x402-private-web-tools - After installation, invoke the skill by name or use
/x402-private-web-tools - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: search, scrape, screenshot via x402 micropayments
Metadata
Frequently Asked Questions
What is x402 Private Web Tools?
Private web tools for AI agents — search, scrape, and screenshot the web with x402 micropayments (USDC on Base). Zero logging, no API keys, no accounts. Pay... It is an AI Agent Skill for Claude Code / OpenClaw, with 710 downloads so far.
How do I install x402 Private Web Tools?
Run "/install x402-private-web-tools" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is x402 Private Web Tools free?
Yes, x402 Private Web Tools is completely free (open-source). You can download, install and use it at no cost.
Which platforms does x402 Private Web Tools support?
x402 Private Web Tools is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created x402 Private Web Tools?
It is built and maintained by kodos-vibe (@kodos-vibe); the current version is v1.0.0.
More Skills