← Back to Skills Marketplace
0xrag

X402

by 0xRAG · GitHub ↗ · v0.1.0
cross-platform ⚠ suspicious
938
Downloads
0
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install x402-2
Description
Search for new services and make paid API requests using the x402 payment protocol. Use when you don't have a clear tool to choose, search the bazaar. You can also use this tool if you or the user want to call an x402 endpoint, discover payment requirements, browse the bazaar, or search for paid services.
Usage Guidance
This skill appears coherent in goal (discover and pay x402 endpoints) but omits important safety details. Before installing or using it: 1) verify the source and the npm package `awal` (there is no homepage/source listed); prefer a pinned package version instead of `@latest`; 2) do not run `npx awal@latest` in sensitive environments — use an isolated sandbox/VM to inspect the package first; 3) check what the `awal` CLI stores under ~/.config/awal (it may contain auth tokens or wallet keys) and understand how authentication is done; 4) require manual confirmation before any payment operations and avoid providing private keys or wallet secrets as environment variables without understanding storage/permissions; 5) ask the skill author for a homepage, repository, and a reproducible install spec; if you cannot get provenance and a review of the npm package, treat the skill as risky and avoid enabling autonomous payment actions.
Capability Analysis
Type: OpenClaw Skill Name: x402-2 Version: 0.1.0 The skill is classified as suspicious due to its inherent high-risk capabilities, despite no explicit malicious intent found within the skill bundle itself. It allows the AI agent to initiate arbitrary network requests to arbitrary URLs, potentially spending real money (USDC) via the x402 payment protocol. The reliance on `npx awal@latest` introduces a supply chain risk, as a compromised `awal` package could lead to malicious execution. While the `SKILL.md` does not contain prompt injection attempts or instructions for data exfiltration or persistence, the power to make paid, arbitrary network calls makes it a significant vulnerability if misused or if the underlying `awal` tool is compromised.
Capability Assessment
Purpose & Capability
Name/description match the SKILL.md: it is a helper for discovering and calling x402-paid endpoints. However the skill's instructions assume the presence/usage of external tooling (npx and the `awal` CLI) and a wallet/login flow but the metadata declares no required binaries, no credentials, and no source/homepage. That mismatch (declaring nothing required while instructing to run npx/awal and to authenticate/pay) is incoherent and unexplained.
Instruction Scope
The runtime instructions instruct the agent to discover endpoints, probe URLs by trying HTTP methods until a 402 response, and perform automatic USDC payments via `awal x402 pay`. They also reference cached data at ~/.config/awal/bazaar and authentication (awal auth login). These are within the stated purpose, but they allow the agent to perform financial actions and to read/write user config files without declaring or constraining that access (no explicit confirmation steps or credit/payment safeguards described). Probing arbitrary URLs by trying multiple HTTP methods and performing payments could have side effects and financial risk.
Install Mechanism
The skill is instruction-only (no install spec), but it explicitly tells users/agents to run `npx awal@latest x402`, which will fetch and execute the latest package from the npm registry at runtime. That implies downloading and executing third-party code without a pinned version, provenance, or homepage/source to verify. The skill metadata also lacks a declared source or homepage, increasing the risk that the runtime package could be untrusted or malicious.
Credentials
The SKILL.md requires authentication and a USDC wallet balance to make payments, and it refers to storing cached resources and presumably auth state under ~/.config/awal/. Yet the skill declares no required environment variables or credentials and no explanation where secret keys or wallet connections come from. Requesting no credentials in metadata while instructing to perform authenticated payments is disproportionate and missing important detail about how secrets are handled/stored.
Persistence & Privilege
The skill writes/reads cached data under ~/.config/awal/bazaar and will store authentication state via the `awal` CLI (per instructions). While always:false (not force-installed), the skill allows autonomous invocation (disable-model-invocation:false) and its primary action can initiate payments. Autonomous invocation combined with capabilities to store auth tokens and make payments increases potential blast radius if the fetched code or CLI behavior is malicious or misconfigured. The metadata does not describe safeguards (e.g., explicit user confirmation before paying).
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install x402-2
  3. After installation, invoke the skill by name or use /x402-2
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
x402-2 v0.1.0 Changelog - Initial release of x402 skill. - Enables searching for paid API services using the x402 protocol in the bazaar. - Supports inspecting payment requirements and schemas for endpoints before purchase. - Allows making automated, authenticated USDC payments and calling paid API endpoints. - Provides commands for searching, browsing, and discovering details about bazaar resources. - Includes error handling for authentication, insufficient balance, and endpoint compatibility.
Metadata
Slug x402-2
Version 0.1.0
License
All-time Installs 2
Active Installs 2
Total Versions 1
Frequently Asked Questions

What is X402?

Search for new services and make paid API requests using the x402 payment protocol. Use when you don't have a clear tool to choose, search the bazaar. You can also use this tool if you or the user want to call an x402 endpoint, discover payment requirements, browse the bazaar, or search for paid services. It is an AI Agent Skill for Claude Code / OpenClaw, with 938 downloads so far.

How do I install X402?

Run "/install x402-2" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is X402 free?

Yes, X402 is completely free (open-source). You can download, install and use it at no cost.

Which platforms does X402 support?

X402 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created X402?

It is built and maintained by 0xRAG (@0xrag); the current version is v0.1.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments