x402
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill uses
npx awal@latestto download and run code from the npm registry at runtime. Since the 'awal' package is not from a trusted publisher, this represents an unverified remote code execution vector. - [COMMAND_EXECUTION] (HIGH): The skill invokes local shell commands to manage financial operations. Malicious input or service schemas could potentially manipulate these command arguments to perform unintended actions.
- [DATA_EXFILTRATION] (MEDIUM): The
payanddetailscommands allow the agent to send custom headers and JSON data to arbitrary URLs. An attacker could use this to trick the agent into sending sensitive session information to a malicious endpoint. - [INDIRECT PROMPT INJECTION] (HIGH): The skill's primary purpose is to ingest and act upon 'bazaar' schemas and metadata from external, untrusted services. A malicious service could embed instructions to bypass safety checks or drain the user's USDC balance.
- Ingestion points: Service metadata and schemas retrieved via
bazaar search,bazaar list, anddetails <url>. - Boundary markers: Absent. No instructions exist to prevent the agent from following directions found in the schemas.
- Capability inventory: USDC payments on the Base network, full HTTP request capabilities (GET, POST, etc.), and local CLI execution.
- Sanitization: None mentioned for external schema content or endpoint response data.
Recommendations
- AI detected serious security threats
Audit Metadata