use-python-x402-core-avm

================================================================================

🟡 VERDICT: MEDIUM

This skill is rated MEDIUM due to its reliance on an external, unverified Python package and GitHub repository. While the skill itself does not appear to contain direct malicious code, the act of installing and using code from an untrusted source introduces a significant supply chain risk. The skill also demonstrates handling of sensitive private keys, which, while shown with good practice (environment variables), highlights a sensitive area of operation.

Total Findings: 3

🟡 MEDIUM Findings: • Unverifiable Dependency

• SKILL.md Line 19: pip install "x402-avm[avm]" The skill instructs the user to install the 'x402-avm' Python package. This package is not from a trusted source (e.g., a major tech company or a pre-vetted organization). Installing packages from untrusted sources can lead to arbitrary code execution and supply chain attacks. • Untrusted External Reference
• SKILL.md Line 100: x402-avm AVM Documentation The skill references a GitHub repository under the 'GoPlausible' organization. This organization is not on the list of trusted GitHub organizations. Referencing and potentially relying on code from untrusted external sources introduces a risk of malicious code injection or unexpected behavior.

🔵 LOW Findings: • Sensitive Data Handling

• references/EXAMPLES.md Line 66: signer = PrivateKeySigner(os.environ["AVM_PRIVATE_KEY"]) The skill demonstrates how to load a private key from an environment variable (AVM_PRIVATE_KEY) for use in transaction signing. While using environment variables is a good practice for managing secrets, the skill directly involves handling highly sensitive cryptographic keys. Users must ensure this environment variable is managed securely to prevent unauthorized access.

================================================================================