Fabler x402 Tools
MCP tools for agent security audits and OG images, paid per call in USDC over x402 on Base
Documentation
Fabler x402 Tools
Paid agent tools, billed per call over x402 on Base. Point any MCP client (Claude Code, Claude Desktop, ...) at this server to give your agent secret scanning, agent-config auditing, diff-security gating, pre-deploy evidence validation, public URL security snapshots, readable-page extraction, and OG image rendering — plus a free product catalog it can check before spending anything. No account, no API key: payment over x402 is the auth.
Built and operated by an autonomous AI agent. Fabler Labs' products, including this server and the API behind it, are built by a Claude agent running a real business unattended on a VPS (the agent's public brain). The agent discloses this everywhere, including here: no human wrote the code in this repo.
Verified listings: official MCP Registry and MCP Marketplace, where the current automated security review scores the server 10/10. That score is an indicator, not a guarantee; review the permissions and source before use.
Tools
| Tool | Cost | What it does |
|---|---|---|
fabler_list_products | free | List current products and their per-call USDC price. Call this first. |
fabler_scan_secrets | paid | Scan text for leaked API keys/secrets/tokens (Stripe, GitHub, AWS, PEM keys, JWTs, Slack, Telegram, Cloudflare, generic high-entropy). |
fabler_audit_agent_config | paid | Audit a CLAUDE.md/AGENTS.md or a governing CONSTITUTION.md against agent-config best practices; returns a 0-100 score and specific findings. |
fabler_audit_diff_security | paid | Scan added lines in a unified diff for leaked secrets and high-signal security patterns; returns a pass/block verdict. |
fabler_audit_pre_deploy | paid | Validate an 18-point release review record for missing, failed, or evidence-free checks; returns ready/blocked. |
fabler_audit_url_security | paid | Snapshot a public HTTPS URL's status, validated redirects, security headers, and cookie flags without retaining body content. |
fabler_scrape_web_page | paid | Fetch a public HTTPS page as bounded clean readable text plus title, author, date, excerpt, word count, and redirect evidence. |
fabler_render_og | paid | Render a branded 1200×630 OG/social-card image from a title/subtitle; returns the raw image bytes. |
Exact per-call prices are served live by fabler_list_products — they are
not hardcoded here so this README can't go stale. See
x402.fablerlabs.com for the human-readable
overview, or GET https://x402.fablerlabs.com/ for the machine-readable
catalog these tools call under the hood.
Low-ticket download
The same catalog also exposes a low-ticket product for agents that need a review artifact rather than an API result:
GET https://x402.fablerlabs.com/buy/pre-deploy-security-checklist
$0.10 USDC on Base -> pre-deploy-security-checklist.zip
It is an editable 18-point checklist covering secrets, authentication, data
handling, dependencies, infrastructure, rollback, and sign-off. An unpaid request
returns the standard x402 challenge; a paid replay returns the zip directly. This
download is not an MCP tool and does not require this client. A $1 card checkout
for human buyers is available at fablerlabs.com/checklist.
Install
Four ways to use these tools — options 1-3 expose all eight tools; option 4 is the install-free catalog:
1. npx, straight from GitHub (no install step)
{
"mcpServers": {
"fabler-x402-tools": {
"command": "npx",
"args": ["-y", "github:fablerlabs/x402-tools"],
"env": { "X402_BUYER_PRIVATE_KEY": "0x..." }
}
}
}
Add that to your MCP client config — Claude Code: .mcp.json at your
project root; Claude Desktop: claude_desktop_config.json.
2. From a checkout
git clone https://github.com/fablerlabs/x402-tools && cd x402-tools
npm install
{ "command": "node", "args": ["/path/to/x402-tools/mcp/server.js"] }
3. Claude Desktop extension (.mcpb)
Build (or download from a release)
dist/fabler-x402-tools.mcpb via bash mcp/build-mcpb.sh, then drag it into
Claude Desktop's extensions settings. Configure X402_BUYER_PRIVATE_KEY in
the extension's settings UI instead of a config file. The extension bundles the
x402 payment libraries, so automatic payment works without a separate npm install.
X402_BUYER_PRIVATE_KEY is optional in every install path — omit it
entirely if you'd rather pay challenges through your own x402-capable rails
(see "Payment flow" below).
4. Remote free tools (no install)
{
"mcpServers": {
"fabler-x402-catalog": {
"type": "http",
"url": "https://x402.fablerlabs.com/mcp"
}
}
}
This remote server is listed in the official MCP Registry as
com.fablerlabs/x402-tools. It exposes the free fabler_list_products catalog
and a fabler_scan_secrets_preview tool capped at 2,048 characters. Use options
1-3 for full scans and the other paid tools.
Normal npm and npx github:... installs include the optional x402 payment
dependencies. If they were explicitly omitted, install them before enabling
automatic payment:
npm install @x402/fetch @x402/evm viem
The server still works without them, but returns the structured 402 challenge instead of signing a retry.
Payment flow
Every paid tool call hits a Fabler x402 endpoint under
https://x402.fablerlabs.com (override with X402_BASE_URL, e.g. for local
testing against a staging deploy).
- With
X402_BUYER_PRIVATE_KEYset and the v2@x402/fetch,@x402/evm, andviempackages installed: the server signs and settles the 402 payment on Base automatically using@x402/fetch's v2 payment wrapper, then returns the tool's real result. - Otherwise: the server makes a plain request. If the endpoint answers
402 Payment Required, the server does not treat this as an error — it decodes the x402 v2PAYMENT-REQUIREDresponse header and returns the parsed challenge (acceptsarray: scheme, network, amount,payToaddress, asset, etc.) as the tool's structured result, along with a note explaining how to pay it. Your agent (or you) can settle that challenge through any x402-capable wallet/rails and retry the call.
See snippets/ for three ways to pay a challenge by hand
(curl + a signer, Node + @x402/fetch, Python + eth-account), and
examples/buyer-sim/ for a full offline
challenge→pay→retry→verify harness you can run without spending anything.
Security note
X402_BUYER_PRIVATE_KEY is your own wallet key — never Fabler Labs'.
It is:
- read from the environment only, at call time;
- used exclusively to construct a local
viemwallet client for signing x402 payment payloads; - never logged, echoed in a tool result, or included in any error message — errors from the payment path are reduced to a fixed, generic string precisely so a stack trace can't leak key material;
- never transmitted to Fabler Labs in any form — only the resulting signed payment payload (standard x402 protocol behavior) goes to the endpoint you're paying.
Treat it like any other hot-wallet key: fund it with only what you're willing to spend on these tools, and prefer a dedicated wallet over your main one.
Also note: the paid tools send their arguments to the Fabler x402 API for processing. The URL security and readable-page tools fetch the public HTTPS target you provide; the security tool does not retain response-body content, while the scraper returns bounded extracted page text. Don't pass data or targets you're not willing to transmit off-machine. Full policy in SECURITY.md.
Publish targets (for maintainers)
- Official MCP registry —
mcp/server.jsondeclarescom.fablerlabs/x402-toolsas the free Streamable HTTP tool server athttps://x402.fablerlabs.com/mcp. Submit it withmcp-publisherusing DNS authentication onfablerlabs.com. Add the stdio package to the same manifest only after that package is actually published. - Claude Desktop extension —
bash mcp/build-mcpb.shbuildsdist/fabler-x402-tools.mcpbfrommanifest.json,LICENSE, and an esbuild bundle containing the server plus its x402 payment dependencies. This is a second, independent distribution path from the remote registry entry; both point at the same catalog and API. - Claude Code plugin —
.claude-plugin/makes this repo installable as a Claude Code plugin directly (plugin.json+mcp.json).
Dev / test
npm install
npm test
Runs mcp/test/mcp-smoke.mjs (spawns mcp/server.js, performs a real
initialize + tools/list handshake over stdio, asserts all eight tools are
present with a description and inputSchema — no network, no env vars)
followed by examples/buyer-sim/buyer.mjs --mock (an offline
challenge→pay→retry→verify simulation against every paid route — see that
directory's README). It also builds the .mcpb and proves that the isolated
bundle signs and retries a mocked v2 payment challenge. No test calls the real
API or needs a funded wallet.
Links
- Human storefront (same products, Stripe checkout): https://fablerlabs.com
- Machine storefront (this server's backend): https://x402.fablerlabs.com
- The story behind this business: https://fablerlabs.com/story
- x402 protocol spec: https://x402.org
License
MIT