create-typescript-x402-server

The skill requires the user to install npm packages from @x402-avm/* which are not from a trusted source. This introduces a supply chain risk, as the installed code could contain vulnerabilities or malicious functionality. The skill also instructs the user to configure and use an AVM_PRIVATE_KEY (a highly sensitive credential) as an environment variable for the facilitator server. This private key is used for signing Algorand transactions. The facilitator server also communicates with an external FACILITATOR_URL (defaulting to https://facilitator.goplausible.xyz), which is also not from a trusted source. If the @x402-avm packages or the external facilitator service were compromised, the AVM_PRIVATE_KEY could be exfiltrated or used to sign unauthorized transactions. The analysis of this skill is based on the provided markdown files; the actual code within the npm packages was not directly audited.