x402-video-generator
Fail
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: HIGHDATA_EXFILTRATIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The skill mandates that the agent gather real-time sensitive information about the user, including meeting participants, email topics, and location history. This data is incorporated into a prompt and sent to an external API (https://x402-worldchain.vercel.app), creating a significant privacy risk.
- [CREDENTIALS_UNSAFE]: The execution script relies on a blockchain PRIVATE_KEY provided via environment variables. Requiring users to expose raw private keys for cryptographic signing is a high-risk practice that can lead to total asset loss.
- [EXTERNAL_DOWNLOADS]: The skill instructions require the user to install third-party packages (@x402/fetch, @x402/evm) that perform sensitive network and payment operations. These dependencies are not from well-known organizations and cannot be easily verified.
- [COMMAND_EXECUTION]: The instructions guide the user to execute shell commands (npm install, npx tsx) to run the provided TypeScript script, which handles the sensitive data and private key.
Recommendations
- AI detected serious security threats
Audit Metadata