cmc-x402

This SKILL.md describes a plausible and functional integration: using an on-chain signer to pay for CoinMarketCap x402 requests. The capability aligns with the stated purpose (pay-per-request access without API keys). However, the design requires the agent runtime to receive and use a raw EVM private key and to execute third-party SDK code that will sign payments and interact with the network. That combination is high-risk: it creates a credential-exposure vector and enables autonomous spending from the wallet. Supply-chain risk from npm dependencies is present but not demonstrably malicious in this fragment. If you plan to use this skill, only supply a dedicated hot wallet with minimal funds, enforce strict per-request confirmation and spending limits at the agent/platform level, and audit/verify the @x402 and viem packages and their transitive dependencies. Overall, I do not see direct evidence of backdoors or data exfiltration in the provided content, but the operational requirements (private key + network + third-party code) make this a medium-to-high security-risk integration unless mitigated.