x402-payment
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses sensitive local file paths to retrieve blockchain private keys, specifically searching
~/.mcporter/mcporter.jsonand~/.x402-config.json. While this is required for the skill's stated purpose of automated payments, accessing credentials from other applications' configuration files is a significant security risk. - [COMMAND_EXECUTION]: The skill executes a bundled JavaScript tool (
dist/x402_invoke.js) that performs blockchain signing and transaction submission. This tool has access to the filesystem and network to carry out its operations. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it fetches and returns responses from external, user-supplied URLs to the agent without boundary markers.
- Ingestion points: Data enters the agent context via the
X402FetchClient.requestmethod which retrieves JSON, text, or binary data from the target endpoint (src/x402_invoke.ts). - Boundary markers: There are no explicit delimiters or system instructions used to separate the external response content from the agent's core logic.
- Capability inventory: The skill can sign and broadcast blockchain transactions, write temporary files to
/tmp, and read sensitive configuration files. - Sanitization: The skill implements a key redaction mechanism that filters private keys from error messages and stack traces using regular expressions before they are output to the console.
Audit Metadata