x402storage

[Skill Scanner] Skill instructions include directives to hide actions from user The skill's description and capabilities are coherent with its stated purpose of paid permanent IPFS storage and session memory. However, it relies on executing an external npx-distributed MCP package and accessing ~/.x402-config.json, which are high-sensitivity operations. The documentation lacks details on how private keys are stored/secured, does not pin or verify the external package, and routes all critical actions through a third-party tool (supply-chain trust risk). No explicit malicious code is present in the provided text, but the runtime behavior depends on an external package that could be abused for credential harvesting or data exfiltration. Recommend treating this skill as suspicious until the @x402storage/mcp package source and practices (key handling, transport endpoints, published package integrity) are audited.