← 返回 Skills 市场
938
总下载
0
收藏
2
当前安装
1
版本数
在 OpenClaw 中安装
/install x402-2
功能描述
Search for new services and make paid API requests using the x402 payment protocol. Use when you don't have a clear tool to choose, search the bazaar. You can also use this tool if you or the user want to call an x402 endpoint, discover payment requirements, browse the bazaar, or search for paid services.
安全使用建议
This skill appears coherent in goal (discover and pay x402 endpoints) but omits important safety details. Before installing or using it: 1) verify the source and the npm package `awal` (there is no homepage/source listed); prefer a pinned package version instead of `@latest`; 2) do not run `npx awal@latest` in sensitive environments — use an isolated sandbox/VM to inspect the package first; 3) check what the `awal` CLI stores under ~/.config/awal (it may contain auth tokens or wallet keys) and understand how authentication is done; 4) require manual confirmation before any payment operations and avoid providing private keys or wallet secrets as environment variables without understanding storage/permissions; 5) ask the skill author for a homepage, repository, and a reproducible install spec; if you cannot get provenance and a review of the npm package, treat the skill as risky and avoid enabling autonomous payment actions.
功能分析
Type: OpenClaw Skill
Name: x402-2
Version: 0.1.0
The skill is classified as suspicious due to its inherent high-risk capabilities, despite no explicit malicious intent found within the skill bundle itself. It allows the AI agent to initiate arbitrary network requests to arbitrary URLs, potentially spending real money (USDC) via the x402 payment protocol. The reliance on `npx awal@latest` introduces a supply chain risk, as a compromised `awal` package could lead to malicious execution. While the `SKILL.md` does not contain prompt injection attempts or instructions for data exfiltration or persistence, the power to make paid, arbitrary network calls makes it a significant vulnerability if misused or if the underlying `awal` tool is compromised.
能力评估
Purpose & Capability
Name/description match the SKILL.md: it is a helper for discovering and calling x402-paid endpoints. However the skill's instructions assume the presence/usage of external tooling (npx and the `awal` CLI) and a wallet/login flow but the metadata declares no required binaries, no credentials, and no source/homepage. That mismatch (declaring nothing required while instructing to run npx/awal and to authenticate/pay) is incoherent and unexplained.
Instruction Scope
The runtime instructions instruct the agent to discover endpoints, probe URLs by trying HTTP methods until a 402 response, and perform automatic USDC payments via `awal x402 pay`. They also reference cached data at ~/.config/awal/bazaar and authentication (awal auth login). These are within the stated purpose, but they allow the agent to perform financial actions and to read/write user config files without declaring or constraining that access (no explicit confirmation steps or credit/payment safeguards described). Probing arbitrary URLs by trying multiple HTTP methods and performing payments could have side effects and financial risk.
Install Mechanism
The skill is instruction-only (no install spec), but it explicitly tells users/agents to run `npx awal@latest x402`, which will fetch and execute the latest package from the npm registry at runtime. That implies downloading and executing third-party code without a pinned version, provenance, or homepage/source to verify. The skill metadata also lacks a declared source or homepage, increasing the risk that the runtime package could be untrusted or malicious.
Credentials
The SKILL.md requires authentication and a USDC wallet balance to make payments, and it refers to storing cached resources and presumably auth state under ~/.config/awal/. Yet the skill declares no required environment variables or credentials and no explanation where secret keys or wallet connections come from. Requesting no credentials in metadata while instructing to perform authenticated payments is disproportionate and missing important detail about how secrets are handled/stored.
Persistence & Privilege
The skill writes/reads cached data under ~/.config/awal/bazaar and will store authentication state via the `awal` CLI (per instructions). While always:false (not force-installed), the skill allows autonomous invocation (disable-model-invocation:false) and its primary action can initiate payments. Autonomous invocation combined with capabilities to store auth tokens and make payments increases potential blast radius if the fetched code or CLI behavior is malicious or misconfigured. The metadata does not describe safeguards (e.g., explicit user confirmation before paying).
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install x402-2 - 安装完成后,直接呼叫该 Skill 的名称或使用
/x402-2触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
x402-2 v0.1.0 Changelog
- Initial release of x402 skill.
- Enables searching for paid API services using the x402 protocol in the bazaar.
- Supports inspecting payment requirements and schemas for endpoints before purchase.
- Allows making automated, authenticated USDC payments and calling paid API endpoints.
- Provides commands for searching, browsing, and discovering details about bazaar resources.
- Includes error handling for authentication, insufficient balance, and endpoint compatibility.
元数据
常见问题
X402 是什么?
Search for new services and make paid API requests using the x402 payment protocol. Use when you don't have a clear tool to choose, search the bazaar. You can also use this tool if you or the user want to call an x402 endpoint, discover payment requirements, browse the bazaar, or search for paid services. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 938 次。
如何安装 X402?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install x402-2」即可一键安装,无需额外配置。
X402 是免费的吗?
是的,X402 完全免费(开源免费),可自由下载、安装和使用。
X402 支持哪些平台?
X402 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 X402?
由 0xRAG(@0xrag)开发并维护,当前版本 v0.1.0。
推荐 Skills