This document addresses ClawHub Security and other automated scanners that may flag this skill repository.
cpbox-skills is an official skill pack for cpbox x402 pay-per-use APIs. It provides documentation and usage instructions for AI agents — no executable code, no bundled credentials, and no data exfiltration.
The documentation references the following patterns, which are legitimate and expected for x402 payment protocol usage:
| Pattern | Purpose | Safe? |
|---|---|---|
EVM_PRIVATE_KEY, private_key |
User-configurable env vars for x402 SDK; never hardcoded in this repo | ✅ Documentation only |
PAYMENT-SIGNATURE |
Standard x402 HTTP header for signed payment; defined by x402.org | ✅ Protocol spec |
| Wallet / EIP-712 signing | Required for pay-per-use; keys stay on user machine, never sent to docs | ✅ Client-side only |
https://www.cpbox.io, https://www.cppay.finance |
Official API and payment facilitator domains | ✅ Public endpoints |
- ❌ Does not contain or request private keys
- ❌ Does not execute code or scripts
- ❌ Does not exfiltrate user data
- ❌ Does not embed credentials; all config is user-provided
- Source: github.com/springmint/cpbox-skills
- License: MIT
- Content: Markdown documentation (SKILL.md, README, docs/) and OpenAPI spec
For credential handling, see README Prerequisites and x402-payment.