create-python-x402-client

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill wraps httpx/requests (x402HttpxClient, x402_requests, wrapHttpxWithPayment/wrapRequestsWithPayment) and explicitly performs client.get(resource_url) to arbitrary external URLs (e.g., "https://api.example.com/paid-resource") and parses 402 PaymentRequired data from response headers/body, so it fetches and interprets untrusted third-party content.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the full prompt for literal, high-entropy values that could be usable credentials.

Findings:

• The only high-entropy literal is in the config example:
• network="algorand:SGO1GKSzyE7IEPItTxCByw9x8FmnrCDexi9/cOUJOiI=" This is a base64-like, random-looking string (prefixed with "algorand:") and therefore meets the "high-entropy literal" definition. It could be a network identifier or a secret token; because it is a concrete value (not a placeholder like YOUR_API_KEY) it should be treated as a potential secret and reviewed/rotated if it is in fact a live credential.

Ignored items (not flagged) and why:

• AVM_PRIVATE_KEY is only referenced as an environment variable name and no literal private key value is present — ignore per rule 3 (env var names).
• No sample Base64 private key or full PEM block appears in the doc. Code shows how to encode/decode keys, but does not contain an actual secret value.
• Other strings (URLs, example simple passwords, package names, function names) are documentation/examples and/or low-entropy placeholders, so they are ignored per the given rules.

Recommendation: Verify whether the "algorand:SGO1GKSz..." value is an intentionally public identifier. If it is a secret or access token, remove and rotate it immediately; if it is a benign public ID, mark it as an example in docs to avoid confusion.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform on-chain payments: it creates Algorand USDC payment transactions, constructs atomic transaction groups (ExactAvmScheme), and signs them using a provided Algorand private key via a ClientAvmSigner implementation. It requires an AVM_PRIVATE_KEY env var (Base64 64-byte secret), shows concrete signing code (using algosdk encoding and sign()), and wraps HTTP clients to automatically attach X-PAYMENT headers and retry after 402 responses. These are direct crypto wallet/payment operations (creating and signing transactions), so it grants direct financial execution capability.