breeze-x402-payment-api

[Skill Scanner] Skill instructions include directives to hide actions from user The skill fragment is largely coherent with its stated purpose (Breeze x402 payment interactions via a wrapped fetch workflow). It legitimately requires a wallet secret (WALLET_PRIVATE_KEY) and performs network calls to payment and blockchain endpoints, then signs and broadcasts a Solana transaction. This is plausible but carries notable security risks related to private key handling, external dependencies, and on-chain transactions. Treat as SUSPICIOUS-to-MEDIUM risk depending on deployment controls; not malicious by design, but requires strict secret management and review of the dependencies and network endpoints. LLM verification: No explicit malware or backdoor code found in the provided file. Primary risks are supply-chain and secret-handling: unpinned third-party dependencies and examples that persist/log the raw Solana private key. These create a realistic credential-exfiltration attack surface if a dependency is compromised or example artifacts are mishandled. Mitigations: pin and audit dependencies, eliminate writing or printing raw keys, and prefer hardware/remote signing to minimize private-key exposure.