bondterminal-x402
Warn
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [CREDENTIALS_UNSAFE] (MEDIUM): The skill documentation (SKILL.md) instructs users to provide an X402_PRIVATE_KEY (an EVM private key) in their environment variables. Handling raw private keys is inherently risky as it could lead to account compromise if the keys are logged, exposed in the environment, or handled insecurely by the tool.
- [COMMAND_EXECUTION] (LOW): The skill includes a bash wrapper script (scripts/btx) and setup instructions involving chmod +x. This pattern facilitates local command execution, which should be monitored.
- [EXTERNAL_DOWNLOADS] (LOW): The skill specifies dependencies on third-party Node.js packages (@x402/core, @x402/evm, and viem) which are not sourced from the predefined trusted organizations. Users should verify the integrity of these external libraries before installation.
Audit Metadata