Skills
NYC
skills/coinbase/agentic-wallet-skills/pay-for-service/Gen Agent Trust Hub

pay-for-service

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • EXTERNAL_DOWNLOADS (MEDIUM): The skill utilizes npx awal@latest, which dynamically downloads and executes the 'awal' package from the npm registry. Because 'awal' is not a recognized trusted source and the skill uses the @latest tag, the behavior of the code could change at any time without verification.
  • REMOTE_CODE_EXECUTION (MEDIUM): The use of npx to run an unverified third-party package constitutes remote code execution. Since the package source is not within a trusted organization or repository, the security of the script cannot be guaranteed at runtime.
  • DATA_EXFILTRATION (LOW): The x402 pay command is designed to send headers and data to arbitrary URLs. While this is the primary intended function of the skill, it creates a surface for data exfiltration if the agent is prompted to send sensitive local data or environment variables to an attacker-controlled endpoint.
  • Indirect Prompt Injection (LOW):
  • Ingestion points: The response from the paid API request (output of the awal command) is returned to the agent context.
  • Boundary markers: Absent; there are no instructions to the agent to treat the API response as untrusted data.
  • Capability inventory: The skill allows full Bash command execution for the awal CLI, providing a path for subsequent malicious actions if the API response contains instructions.
  • Sanitization: None; the raw output from the external service is processed by the model.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 04:35 PM