create-typescript-x402-nextjs

================================================================================

🟡 VERDICT: MEDIUM

This skill instructs the user to install external npm packages from an organization (GoPlausible) that is not on the list of trusted sources. While the skill's own instructions are benign, the security of the resulting application depends on the integrity of these third-party dependencies. It is recommended to carefully review the source code of these external packages before integrating them into a production environment.

Total Findings: 2

🟡 MEDIUM Findings: • Unverifiable Dependencies

• Line 40 (SKILL.md): The skill instructs users to install several npm packages from the @x402-avm scope (e.g., @x402-avm/next, @x402-avm/avm, @x402-avm/core, @x402-avm/paywall). These packages are referenced as being from the GoPlausible/x402-avm GitHub organization, which is not on the list of trusted GitHub organizations. While the skill's instructions themselves do not contain malicious code, the security of the resulting application relies heavily on the integrity and security of these third-party dependencies.

🔵 LOW Findings: • Data Exfiltration (INFO)

• Line 26 (SKILL.md): The skill involves network communication with a "facilitator" service, typically https://x402.org/facilitator. This is central to the skill's functionality. While x402.org is not a trusted domain, the communication is explicitly part of the intended behavior of the x402-avm packages. There is no indication of sensitive local files being exfiltrated. The skill also uses environment variables for PAY_TO, FACILITATOR_URL, ALGOD_SERVER, and ALGOD_TOKEN, which is a good practice for handling configuration and credentials.

================================================================================