x402-payment-tron

This skill appears to do what it says (make USDT-on-TRON payments), but there are several concerning inconsistencies you should address before installing: - The package actually needs a TRON private key, but the registry metadata does not list any required env vars. Assume you must provide TRON_PRIVATE_KEY and verify that in your environment settings. - The bundled code will silently search local files for keys (x402-config.json, ~/.x402-config.json, and ~/.mcporter/mcporter.json) and may extract TRON_PRIVATE_KEY from them. If you have sensitive configs in those locations, consider moving them or using a dedicated wallet for this skill. Prefer setting TRON_PRIVATE_KEY explicitly in a secure environment variable rather than relying on file discovery. - The tool performs an "infinite approval" (MAX_UINT256) for USDT allowance if needed. That reduces friction but is high risk: if the contract or underlying keys are compromised, funds could be drained. Only use with wallets that hold limited funds and consider manually approving only needed amounts. - There is an internal contradiction: the SKILL.md tells the agent not to search for keys, but the tool itself does. Treat the tool as the authoritative behavior and review the code yourself or request the author to remove silent file scanning. - If you decide to proceed, audit the included dist bundle or run the skill in an isolated environment (sandbox or throwaway VM), use a low-value wallet, and monitor/revoke token approvals (revoke infinite approval) after use. If you need higher confidence, ask the publisher to (1) update registry metadata to declare TRON_PRIVATE_KEY, (2) remove silent scanning of home config files or make it opt-in, and (3) offer an explicit UX/confirmation before broadcasting infinite approvals.