x402-compute@ 1.4.1
github.com/clawhub.ai/x402-compute
Scanned Thu, 28 May 2026 16:26:23 GMT
Scan ID crawl-cpobsqroe57azjsdceahvfjv · 2ms
C
SCORE 55 / 100
Verdict: Proceed with caution
7 high-severity findings.
This skill reads protected filesystem locations plus 7 other issues listed below.
0 critical7 high1 medium4 rules passed
Why grade C?
score · 55 / 100The current grade reflects 7 high-severity findings (3+ HIGHs → C).
0 CRIT7 HIGH1 MED0 LOW
To reach a higher grade
- BReach Btarget score 75
Resolve 5 of 7 HIGH (cap is 2).
- AReach Atarget score 95
Resolve all 7 HIGH.
Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.
Findings · ordered by severity
highSensitive filesystem path referencedThe skill references a path (`~\/\.ssh\/`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.▾
Sensitive filesystem path referenced
The skill references a path (`~\/\.ssh\/`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.
174
175# Generate a dedicated SSH key once (recommended for agents)
176ssh-keygen -t ed25519 -N "" -f ~/.ssh/x402_compute← sensitive path — credential-exfiltration vector
177
178# Provision an instance for 1 month (triggers x402 payment)
highSensitive filesystem path referencedThe skill references a path (`~\/\.ssh\/`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.▾
Sensitive filesystem path referenced
The skill references a path (`~\/\.ssh\/`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.
177
178# Provision an instance for 1 month (triggers x402 payment)
179python {baseDir}/scripts/provision.py vcg-a100-1c-2g-6gb lax --months 1 --label "my-gpu" --ssh-key-file ~/.ssh/x402_compute.pub← sensitive path — credential-exfiltration vector
180
181# DigitalOcean plans are prefixed with do:
highSensitive filesystem path referencedThe skill references a path (`~\/\.ssh\/`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.▾
Sensitive filesystem path referenced
The skill references a path (`~\/\.ssh\/`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.
181# DigitalOcean plans are prefixed with do:
182# They require SSH key access.
183python {baseDir}/scripts/provision.py do:s-1vcpu-1gb nyc3 --days 1 --label "do-test" --ssh-key-file ~/.ssh/x402_compute.pub← sensitive path — credential-exfiltration vector
184
185# Provision a daily instance (cheaper, use-and-throw)
highSensitive filesystem path referencedThe skill references a path (`~\/\.ssh\/`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.▾
Sensitive filesystem path referenced
The skill references a path (`~\/\.ssh\/`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.
184
185# Provision a daily instance (cheaper, use-and-throw)
186python {baseDir}/scripts/provision.py vc2-1c-1gb ewr --days 1 --label "test-daily" --ssh-key-file ~/.ssh/x402_compute.pub← sensitive path — credential-exfiltration vector
187
188# Provision for 3 days
highSensitive filesystem path referencedThe skill references a path (`~\/\.ssh\/`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.▾
Sensitive filesystem path referenced
The skill references a path (`~\/\.ssh\/`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.
187
188# Provision for 3 days
189python {baseDir}/scripts/provision.py vc2-1c-1gb ewr --days 3 --label "short-task" --ssh-key-file ~/.ssh/x402_compute.pub← sensitive path — credential-exfiltration vector
190
191# Provision on Solana
highSensitive filesystem path referencedThe skill references a path (`~\/\.ssh\/`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.▾
Sensitive filesystem path referenced
The skill references a path (`~\/\.ssh\/`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.
190
191# Provision on Solana
192python {baseDir}/scripts/provision.py vc2-1c-1gb ewr --months 1 --label "my-sol-vps" --network solana --ssh-key-file ~/.ssh/x402_compute.pub← sensitive path — credential-exfiltration vector
193
194# Provision on MegaETH (pays with USDm)
highSensitive filesystem path referencedThe skill references a path (`~\/\.ssh\/`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.▾
Sensitive filesystem path referenced
The skill references a path (`~\/\.ssh\/`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.
193
194# Provision on MegaETH (pays with USDm)
195python {baseDir}/scripts/provision.py vc2-1c-1gb ewr --months 1 --label "my-mega-vps" --network megaeth --ssh-key-file ~/.ssh/x402_compute.pub← sensitive path — credential-exfiltration vector
196
197# Provision via MPP / mppx (Tempo by default; Stripe/card if your mppx config supports it)
medNo capability manifest declaredThe skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.rule: no-manifest▾
No capability manifest declared
The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.
rule:
no-manifestskillox.io/r/crawl-cpobsqroe57azjsdceahvfjv