The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (HIGH): The skill utilizes npx awal@latest, which downloads and executes code from the npm registry at runtime. Because it uses the @latest tag and the package 'awal' is not from a trusted source (as defined in the [TRUST-SCOPE-RULE]), this presents a high risk of supply chain attack or execution of malicious updates.
[COMMAND_EXECUTION] (HIGH): The skill enables the agent to generate a JavaScript file (index.js) and execute it using node. This allows for arbitrary code execution on the host system under the guise of setting up a payment server.
[EXTERNAL_DOWNLOADS] (MEDIUM): The skill installs several third-party Node.js packages (x402-express, @coinbase/x402, express) which are not within the verified trust scope. This increases the attack surface via unverified dependencies.
[CREDENTIALS_UNSAFE] (MEDIUM): The documentation explicitly instructs the setup of CDP_API_KEY_ID and CDP_API_KEY_SECRET environment variables. While it does not hardcode them, it facilitates the handling of high-value secrets within the agent's operating environment.
[DATA_EXFILTRATION] (LOW): The skill accesses cryptocurrency wallet addresses using awal address. While the address itself is public, the context involves financial transactions and wallet interactions that could be leveraged for unauthorized fund transfers if the environment is compromised.

monetize-service