Simmer X402
Flagged@adlai88
{"isSafe":false,"isSuspicious":true,"riskLevel":"high","findings":[{"category":"system_harm","severity":"high","description":"Fallback to a shared private key (WALLET_PRIVATE_KEY) if EVM_PRIVATE_KEY is not set. This implies key reuse among users, creating a single point of compromise that could drain funds.","evidence":"Falls back to `WALLET_PRIVATE_KEY` if `EVM_PRIVATE_KEY` is not set (same key Simmer/Polymarket users already have)."},{"category":"shell_command","severity":"low","description":"Environment variable-based private key handling (export EVM_PRIVATE_KEY=...) is standard but can leak if logs capture environment or if commands are printed. The doc provides safeguards but misuse could reveal keys.","evidence":"export EVM_PRIVATE_KEY=0x...your_private_key..."},{"category":"data_exfiltration","severity":"medium","description":"Code example contains a Bearer secret key in an Authorization header (sk_live_...). If copied, this could exfiltrate credentials or be misused to access paid endpoints.","evidence":"python x402_cli.py fetch \"https://x402.simmer.markets/api/sdk/context/market-123\" \\\n --header \"Authorization: Bearer sk_live_...\" --json"},{"category":"other","severity":"low","description":"The docs show fetch commands for arbitrary URLs without explicit input validation or allowlisting. Without server-side safety, there is potential for misuse (e.g., SSRF or unintended external calls) if the underlying fetch implementation is not properly constrained.","evidence":"| Command | Description | ... | python x402_cli.py fetch <url> --json |"}],"summary":"The skill describes a payments-based access pattern for gated APIs, which is legitimate. However, there are notable security concerns: (1) a shared private key fallback across users, (2) inclusion of secret-like tokens in example code, and (3) potential risks from fetching arbitrary URLs without clear input validation. To improve safety: remove or replace the shared key fallback with per-user keys, avoid embedding secrets in examples (use placeholders), and implement/document strict allowlists and auditing for external requests."}
npx machina-cli add skill @adlai88/simmer-x402 --openclawx402 Payments
Pay for x402-gated APIs using USDC on Base. This skill enables agents to autonomously make crypto payments when accessing paid web resources.
When to Use This Skill
Use this skill when:
- A skill or agent needs to fetch data from an x402-gated API (e.g., Kaito mindshare)
- You encounter HTTP 402 Payment Required responses
- You need to check your Base wallet balance (USDC + ETH)
- You want to pay for Simmer premium endpoints beyond free tier rate limits
Setup
-
Set your wallet private key
export EVM_PRIVATE_KEY=0x...your_private_key...Falls back to
WALLET_PRIVATE_KEYifEVM_PRIVATE_KEYis not set (same key Simmer/Polymarket users already have). Your EVM address works on all chains — Polygon for trading, Base for x402 payments. -
Fund with USDC on Base
- Send USDC to your wallet address on Base network
- x402 payments on Base are fully gasless — you only need USDC, no ETH
-
Install dependencies
pip install x402[httpx,evm]
Quick Commands
| Command | Description |
|---|---|
python x402_cli.py balance | Check USDC and ETH balances on Base |
python x402_cli.py fetch <url> | Fetch URL with automatic x402 payment |
python x402_cli.py fetch <url> --json | Same but output raw JSON only |
python x402_cli.py fetch <url> --dry-run | Show payment info without paying |
python x402_cli.py fetch <url> --max 5.00 | Override max payment limit |
python x402_cli.py rpc <network> <method> [params...] | Make RPC call via Quicknode x402 |
Examples
Check balance
python x402_cli.py balance
x402 Wallet Balance
==============================
Address: 0x1234...5678
Network: Base Mainnet
USDC: $42.50
ETH: 0.000000 ETH
Fetch free endpoint (no payment needed)
python x402_cli.py fetch "https://api.kaito.ai/api/v1/tokens" --json
Fetch Kaito mindshare data ($0.02/data point via x402)
python x402_cli.py fetch "https://api.kaito.ai/api/payg/mindshare?token=BTC&start_date=2026-02-13&end_date=2026-02-14" --json
Fetch Kaito sentiment data ($0.02/data point via x402)
python x402_cli.py fetch "https://api.kaito.ai/api/payg/sentiment?token=BTC&start_date=2026-02-13&end_date=2026-02-14" --json
Ask AlphaKek knowledge engine ($0.01 via x402)
python x402_cli.py fetch "https://api.alphakek.ai/x402/knowledge/ask" \
--method POST --body '{"question": "What is the current sentiment on BTC?", "search_mode": "fast"}' --json
Fetch CoinGecko price data ($0.01 via x402)
python x402_cli.py fetch "https://pro-api.coingecko.com/api/v3/x402/simple/price?ids=bitcoin&vs_currencies=usd" --json
Fetch Simmer premium endpoint
python x402_cli.py fetch "https://x402.simmer.markets/api/sdk/context/market-123" \
--header "Authorization: Bearer sk_live_..." --json
Quicknode RPC — blockchain calls without API keys
# Get ETH balance on Ethereum mainnet
python x402_cli.py rpc ethereum-mainnet eth_getBalance 0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045 latest
# Get latest block on Polygon
python x402_cli.py rpc polygon-mainnet eth_blockNumber
# Get token balance on Base
python x402_cli.py rpc base-mainnet eth_call '{"to":"0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913","data":"0x70a08231000000000000000000000000YOUR_ADDRESS"}' latest
Quicknode x402 supports 55+ networks (Ethereum, Polygon, Base, Arbitrum, Solana, Bitcoin, and more). $10 buys 1M RPC credits — each successful call costs 1 credit.
Supported x402 Providers
| Provider | Endpoint | Price | Description |
|---|---|---|---|
| Kaito | /api/payg/mindshare | $0.02/data point | Token mindshare time series |
| Kaito | /api/payg/sentiment | $0.02/data point | Token sentiment time series |
| Kaito | /api/payg/narrative_mindshare | $0.02/data point | Narrative mindshare time series |
| Kaito | /api/payg/smart_followers | $0.20/request | Smart follower metrics |
| AlphaKek | /x402/knowledge/ask | $0.01/request | AI knowledge engine (POST, search_mode: fast/deep/ultrafast) |
| CoinGecko | /api/v3/x402/simple/price | $0.01/request | Token price data |
| Simmer | /api/sdk/context/:id | $0.005/request | Market context (rate limit bypass) |
| Simmer | /api/sdk/briefing | $0.005/request | Portfolio briefing (rate limit bypass) |
| Quicknode | /:network (55+ networks) | $10/1M credits | Pay-per-request RPC access (no API key needed) |
Kaito API docs: https://github.com/MetaSearch-IO/KaitoX402APIDocs Quicknode x402 docs: https://x402.quicknode.com/llms.txt
Configuration
| Setting | Environment Variable | Default | Description |
|---|---|---|---|
| Wallet key | EVM_PRIVATE_KEY | (required) | Hex-encoded private key (falls back to WALLET_PRIVATE_KEY) |
| Max payment | X402_MAX_PAYMENT_USD | 10.00 | Safety cap per request |
| Network | X402_NETWORK | mainnet | mainnet or testnet |
Or set via config.json in the skill directory:
{
"max_payment_usd": 10.00,
"network": "mainnet"
}
How It Works
- Skill makes HTTP request to the target URL
- If server returns 200 — done, no payment needed
- If server returns 402 Payment Required — x402 SDK reads payment requirements
- SDK signs a USDC transfer authorization on Base (no gas needed)
- SDK retries request with payment signature
- Server verifies payment, returns gated content
All payment handling is automatic via the official Coinbase x402 Python SDK.
For Other Skills
Other skills can import x402 functions directly:
from skills.x402.x402_cli import x402_fetch
# Returns parsed JSON response
data = await x402_fetch("https://api.kaito.ai/api/payg/mindshare?token=BTC")
Security
- Uses the official Coinbase
x402Python SDK for payment signing - Private key never leaves your machine
- Max payment safety cap prevents accidental overspend
- Dry-run mode to preview payments before executing
Private key safety:
- Store your key in a
.envfile, never pass it inline in shell history - Ensure
.envis in your.gitignore— never commit private keys to git - Use a dedicated hot wallet with limited funds, not your main wallet
- Rotate the key immediately if you suspect it was exposed
Troubleshooting
"EVM_PRIVATE_KEY not set"
- Set your wallet private key:
export EVM_PRIVATE_KEY=0x...
"Insufficient USDC balance"
- Fund your wallet with USDC on Base network
- Run
python x402_cli.py balanceto check
"Payment exceeds max limit"
- Increase limit:
--max 50or setX402_MAX_PAYMENT_USD=50
"Unsupported network in payment options"
- Ensure you have USDC on Base. Some providers may offer other chains but this skill uses Base only.
Overview
Simmer X402 lets agents pay for x402-gated APIs using USDC on Base to access paid resources. It enables autonomous payments when fetching data from gated endpoints like Kaito mindshare or Simmer premium endpoints. This matters because it unlocks paid data without manual intervention.
How This Skill Works
The skill uses the x402 protocol to trigger payments when a 402 is returned by a gated API. It signs and sends USDC payments on Base using your EVM private key, with Base handling gas for you. It also supports balance checks and optional dry-run or max payment limits to control spend.
When to Use It
- To fetch data from an x402-gated API (e.g., Kaito mindshare).
- When an API response returns HTTP 402 Payment Required.
- To verify your USDC and ETH balances on Base before paying.
- To access Simmer premium endpoints beyond the free tier.
- To integrate x402 payments into automated workflows with any supported provider.
Quick Start
- Step 1: Set your wallet private key
- Step 2: Fund with USDC on Base and install dependencies
- Step 3: Run fetch commands, e.g., python x402_cli.py fetch <url> --json
Best Practices
- Protect and rotate your EVM_PRIVATE_KEY; avoid exposing it in logs or code.
- Set a sensible max payment limit per request with --max to prevent overcharging.
- Use --dry-run first to preview payments before actual execution.
- Ensure your Base USDC balance is funded before making requests.
- Monitor balances and permissions regularly to avoid payment failures.
Example Use Cases
- Fetch Kaito mindshare data via x402 payments to unlock gated insights.
- Access Simmer premium endpoints that require payment per data point.
- Query AlphaKek knowledge engine through x402-enabled requests.
- Retrieve CoinGecko price data using x402 for paid endpoints.
- Use Quicknode RPC calls across 55+ networks with x402 payments on Base.
