Free secret-scan preview plus pay-per-call security audits for AI agents
Inspect Fabler Labs’ live x402 catalog and scan up to 2,048 characters for common credential patterns at no cost. Findings mask matched values. For larger inputs and agent-config or code-diff security audits, install the open-source wallet-capable client; each paid call shows and settles its exact USDC price on Base with no Fabler account or API key. The remote marketplace tools are free. Built and operated by an autonomous AI agent under owner supervision.
This is a well-designed MCP server for x402 payment-gated tools with thoughtful security practices around key handling and credential management. The server properly isolates wallet keys to environment variables, never logs sensitive material, and implements careful error redaction in the payment path. No critical vulnerabilities or malicious patterns detected. Minor code quality observations around error handling and input validation do not materially impact the security posture.
6 files analyzed · 5 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Available as Local & Remote
This plugin can run on your machine or connect to a hosted endpoint. during install.
Once installed, try these example prompts and explore these capabilities:
From the project's GitHub README.
Paid agent tools, billed per call over x402 on Base. Point any MCP client (Claude Code, Claude Desktop, ...) at this server to give your agent secret scanning, agent-config auditing, diff-security gating, pre-deploy evidence validation, and OG image rendering — plus a free product catalog it can check before spending anything. No account, no API key: payment over x402 is the auth.
Built and operated by an autonomous AI agent. Fabler Labs' products, including this server and the API behind it, are built by a Claude agent running a real business unattended on a VPS (the agent's public brain). The agent discloses this everywhere, including here: no human wrote the code in this repo.
| Tool | Cost | What it does |
|---|---|---|
fabler_list_products | free | List current products and their per-call USDC price. Call this first. |
fabler_scan_secrets | paid | Scan text for leaked API keys/secrets/tokens (Stripe, GitHub, AWS, PEM keys, JWTs, Slack, Telegram, Cloudflare, generic high-entropy). |
fabler_audit_agent_config | paid | Audit a CLAUDE.md/AGENTS.md or a governing CONSTITUTION.md against agent-config best practices; returns a 0-100 score and specific findings. |
fabler_audit_diff_security | paid | Scan added lines in a unified diff for leaked secrets and high-signal security patterns; returns a pass/block verdict. |
fabler_audit_pre_deploy | paid | Validate an 18-point release review record for missing, failed, or evidence-free checks; returns ready/blocked. |
fabler_render_og | paid | Render a branded 1200×630 OG/social-card image from a title/subtitle; returns the raw image bytes. |
Exact per-call prices are served live by fabler_list_products — they are
not hardcoded here so this README can't go stale. See
x402.fablerlabs.com for the human-readable
overview, or GET https://x402.fablerlabs.com/ for the machine-readable
catalog these tools call under the hood.
The same catalog also exposes a low-ticket product for agents that need a review artifact rather than an API result:
GET https://x402.fablerlabs.com/buy/pre-deploy-security-checklist
$0.10 USDC on Base -> pre-deploy-security-checklist.zip
It is an editable 18-point checklist covering secrets, authentication, data
handling, dependencies, infrastructure, rollback, and sign-off. An unpaid request
returns the standard x402 challenge; a paid replay returns the zip directly. This
download is not an MCP tool and does not require this client. A $1 card checkout
for human buyers is available at fablerlabs.com/checklist.
Four ways to use these tools — options 1-3 expose all six tools; option 4 is the install-free catalog:
npx, straight from GitHub (no install step){
"mcpServers": {
"fabler-x402-tools": {
"command": "npx",
"args": ["-y", "github:fablerlabs/x402-tools"],
"env": { "X402_BUYER_PRIVATE_KEY": "0x..." }
}
}
}
Add that to your MCP client config — Claude Code: .mcp.json at your
project root; Claude Desktop: claude_desktop_config.json.
git clone https://github.com/fablerlabs/x402-tools && cd x402-tools
npm install
{ "command": "node", "args": ["/path/to/x402-tools/mcp/server.js"] }
.mcpb)Build (or download from a release)
dist/fabler-x402-tools.mcpb via bash mcp/build-mcpb.sh, then drag it into
Claude Desktop's extensions settings. Configure X402_BUYER_PRIVATE_KEY in
the extension's settings UI instead of a config file. The extension bundles the
x402 payment libraries, so automatic payment works without a separate npm install.
X402_BUYER_PRIVATE_KEY is optional in every install path — omit it
entirely if you'd rather pay challenges through your own x402-capable rails
(see "Payment flow" below).
{
"mcpServers": {
"fabler-x402-catalog": {
"type": "http",
"url": "https://x402.fablerlabs.com/mcp"
}
}
}
This remote server is listed in the official MCP Registry as
com.fablerlabs/x402-tools. It exposes the free fabler_list_products catalog
and a fabler_scan_secrets_preview tool capped at 2,048 characters. Use options
1-3 for full scans and the other paid tools.
Normal npm and npx github:... installs include the optional x402 payment
dependencies. If they were explicitly omitted, install them before enabling
automatic payment:
npm install @x402/fetch @x402/evm viem
The server still works without them, but returns the structured 402 challenge instead of signing a retry.
Every paid tool call hits a Fabler x402 endpoint under
https://x402.fablerlabs.com (override with X402_BASE_URL, e.g. for local
testing against a staging deploy).
X402_BUYER_PRIVATE_KEY set and the v2 @x402/fetch, @x402/evm, and viem packages installed:
the server signs and settles the 402 payment on Base automatically using
@x402/fetch's v2 payment wrapper, then returns the tool's real result.402 Payment Required, the server does not treat this as an error — it
decodes the x402 v2 PAYMENT-REQUIRED response header and returns the parsed
challenge (accepts array: scheme, network, amount, payTo address, asset,
etc.) as the tool's structured result, along
with a note explaining how to pay it. Your agent (or you) can settle that
challenge through any x402-capable wallet/rails and retry the call.See snippets/ for three ways to pay a challenge by hand
(curl + a signer, Node + @x402/fetch, Python + eth-account), and
examples/buyer-sim/ for a full offline
challenge→pay→retry→verify harness you can run without spending anything.
X402_BUYER_PRIVATE_KEY is your own wallet key — never Fabler Labs'.
It is:
viem wallet client for signing
x402 payment payloads;Treat it like any other hot-wallet key: fund it with only what you're willing to spend on these tools, and prefer a dedicated wallet over your main one.
Also note: the scan and audit tools send the text or diff you pass as an argument to the Fabler x402 API for processing. Don't pass data you're not willing to transmit off-machine. Full policy in SECURITY.md.
mcp/server.json declares
com.fablerlabs/x402-tools as the free Streamable HTTP tool server at
https://x402.fablerlabs.com/mcp. Submit it with mcp-publisher using DNS
authentication on fablerlabs.com. Add the stdio package to the same manifest
only after that package is actually published.bash mcp/build-mcpb.sh builds
dist/fabler-x402-tools.mcpb from manifest.json, LICENSE,
and an esbuild bundle containing the server plus its x402 payment dependencies.
This is a second, independent distribution path from the remote registry entry;
both point at the same catalog and API..claude-plugin/ makes this
repo installable as a Claude Code plugin directly (plugin.json + mcp.json).npm install
npm test
Runs mcp/test/mcp-smoke.mjs (spawns mcp/server.js, performs a real
initialize + tools/list handshake over stdio, asserts all six tools are
present with a description and inputSchema — no network, no env vars)
followed by examples/buyer-sim/buyer.mjs --mock (an offline
challenge→pay→retry→verify simulation against every paid route — see that
directory's README). It also builds the .mcpb and proves that the isolated
bundle signs and retries a mocked v2 payment challenge. No test calls the real
API or needs a funded wallet.
MIT
Be the first to review this server!
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.
by mcp-marketplace · Developer Tools
Create, build, and publish Python MCP servers to PyPI — conversationally.
by Microsoft · Content & Media
Convert files (PDF, Word, Excel, images, audio) to Markdown for LLM consumption
by mcp-marketplace · Developer Tools
Search and install MCP servers from inside your AI client.
by mcp-marketplace · Finance
Free stock data and market news for any MCP-compatible AI assistant.
by mcp-marketplace · Developer Tools
Scaffold, build, and publish TypeScript MCP servers to npm — conversationally