claw-x402

[Skill Scanner] URL with free hosting platform or high-abuse TLD detected All findings: [HIGH] supply_chain: URL with free hosting platform or high-abuse TLD detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: URL with free hosting platform or high-abuse TLD detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: URL with free hosting platform or high-abuse TLD detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: URL with free hosting platform or high-abuse TLD detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: URL with free hosting platform or high-abuse TLD detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: URL with free hosting platform or high-abuse TLD detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: URL with free hosting platform or high-abuse TLD detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: URL with free hosting platform or high-abuse TLD detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: URL with free hosting platform or high-abuse TLD detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: URL with free hosting platform or high-abuse TLD detected (SC007) [AITech 9.1.4] Benign-sounding pay-per-call API provider with wallet-based authorization is coherent with the stated purpose, but raises security and governance concerns typical of autonomous, pay-per-use access to social data. The pattern is not inherently malicious, but the combination of autonomous access, external backend dependency, and per-call payments warrants careful controls: clear rate limits,Audit logs, user-consent prompts, robust authentication, and data minimization approaches. Treat as SUSPICIOUS-to-MEDIUM risk pending deployment safeguards and transparent usage policies. LLM verification: This skill's stated purpose (pay-per-request agent-native access to social media) matches the documented capabilities, but there are clear supply-chain and operational risks: it instructs users/agents to run unpinned remote code via `npx awal@latest`, routes payments and requests through a third-party service hosted on railway.app, and enables autonomous spending of USDC by agents. These behaviors are risky for agents or humans to run without audit and per-call approval. I classify the skill as