x402
Fail
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill documentation explicitly instructs the agent to use npx awal@latest. This command fetches and executes the awal package from the npm registry. Since the awal package and its authors are not on the list of trusted external sources, this constitutes an unverified external dependency.
- [REMOTE_CODE_EXECUTION] (HIGH): By using npx with the @latest tag, the skill executes remote code that could change at any time without verification. This introduces a significant risk where a compromised npm package could execute arbitrary malicious code on the host system.
- [COMMAND_EXECUTION] (MEDIUM): The skill relies on the execution of CLI tools (npx, awal) with arguments that include user-provided URLs or search queries. This increases the attack surface for command injection if inputs are not properly sanitized before being passed to the shell.
- [PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection.
- Ingestion points: Service metadata, schemas, and API responses from the bazaar and external URLs (SKILL.md).
- Boundary markers: Absent. There are no instructions to ignore or delimit instructions found within external content.
- Capability inventory: Execution of shell commands and authorization of financial transactions (USDC payments).
- Sanitization: Absent. No evidence that the output from external services is sanitized before being returned to the agent's context.
Recommendations
- AI detected serious security threats
Audit Metadata