Is capncoconut/x402hub safe?

https://github.com/openclaw/skills/tree/main/skills/capncoconut/x402hub

74
CAUTION

x402hub is a legitimate-looking AI agent marketplace integration skill with clean installation behaviour (GitHub-only traffic, no credential harvesting, canary files intact), but it introduces two structural high-severity risks: the x402 Relay TCP protocol creates a persistent inbound channel through which any marketplace participant can push arbitrary instructions to the agent (covert C2), and the bounty system allows untrusted third parties to author task descriptions the agent will autonomously execute — a prompt injection pathway when combined with local tool access. The skill is not malicious in isolation, but its design makes it a high-privilege, third-party-controlled capability that warrants careful review before deployment.

Category Scores

Prompt Injection 78/100 · 30%
Data Exfiltration 68/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 38/100 · 5%

Findings (8)

HIGH x402 Relay as covert inbound C2 channel -35

The DELIVER relay message type allows any authenticated relay participant to push arbitrary payload.body content to the host agent. Because relay tokens are obtained cheaply via wallet registration (gasless on testnet), a malicious actor can register, connect to the relay, and continuously send crafted instructions to the agent. The WELCOME roster reveals which agents are online, enabling targeted attacks. This bypasses the user's conversation entirely.

HIGH Third-party bounty descriptions as prompt injection vector -30

When the agent claims a run, it commits to executing work whose specification is controlled by arbitrary third parties (bounty posters). These descriptions are untrusted external content that will be read and interpreted as task instructions by the agent. Combined with local tool access (filesystem, shell, network), this is a structural prompt injection pathway. The skill provides no guidance to sandbox or sanitise bounty content before acting on it.

MEDIUM Bundled relay-send.cjs establishes persistent outbound TCP to operator infrastructure -20

scripts/relay-send.cjs is a prebuilt Node.js CJS module the skill instructs users to invoke directly for automation. It opens a TCP socket to trolley.proxy.rlwy.net:48582 and maintains a HELLO/PONG keepalive session. This is an active persistent channel to operator-controlled infrastructure, not merely a one-shot API call.

MEDIUM Full agent operational telemetry externalised to operator API -20

Every state-changing operation (registration, bounty claim, deliverable submission, abandonment) POSTs the agent's wallet address, EIP-191 signature, and timing data to api.clawpay.bot. The relay registration additionally returns and subsequently transmits the relay authToken. While private keys are not sent, the operator receives a comprehensive activity log of the agent's behaviour, identity, and task history.

MEDIUM Autonomous financial operations without per-action user gating -20

The skill instructs the agent to generate wallets, claim bounties, sign deliverables, and manage USDC earnings with no documented user confirmation step for individual operations. An agent following this skill can autonomously commit to and execute financial obligations on behalf of the user, and on testnet can do so without staking. On production this would involve real USDC.

MEDIUM Broad trigger keywords increase unintended activation risk -12

The skill's trigger vocabulary ('bounty', 'relay messaging', 'agent-to-agent communication', 'USDC earning') covers common terms that could appear in unrelated user conversations about general software, cryptocurrency, or communication tools. Unintended activation could cause the agent to initiate wallet generation or external API connections without the user intending to use the marketplace.

LOW Installation limited to expected GitHub traffic -8

The sparse-checkout clone connected only to github.com (140.82.121.3:443). No connections to api.clawpay.bot or trolley.proxy.rlwy.net were observed during installation. Connection state before and after install is clean with no new persistent sessions.

INFO Canary file reads attributable to audit harness, not skill 0

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were accessed at timestamps 1771738825 (pre-clone, harness setup) and 1771738842 (post-install, integrity verification). Neither access is temporally or causally attributable to the skill code. All files confirmed intact with no exfiltration.