Back to skill

Security audit

FluxA Agent Wallet for x402 Resources Payment

Security checks across malware telemetry and agentic risk

Overview

This wallet-payment skill mostly fits its stated purpose, but it needs Review because it also exposes direct payout capability and stores wallet credentials locally without clear disclosure or safeguards.

Install only if you trust FluxA and this publisher with delegated payment authority. Use small task-specific budgets, verify the exact paid endpoint and payment payload before authorizing spending, avoid the payout command unless you intentionally want a transfer, and protect or remove ~/.fluxa-ai-wallet-mcp/config.json when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
79% confidence
Finding
The skill instructs use of a bundled CLI to create mandates, sign payment payloads, and call external paid endpoints, which implies network access and likely use of environment/configured credentials, yet no permissions are declared. This weakens reviewability and consent because an agent may exercise payment-capable and networked behavior without an explicit capability declaration, increasing the chance of unintended external calls or secret use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented purpose is limited to budget requests, x402 signing, and paid endpoint calls, but the detected behavior includes materially broader capabilities such as agent registration, credential/JWT storage, token refresh, and blockchain/asset payouts. That mismatch is dangerous because reviewers and users may authorize a payment skill without realizing it can persist credentials and initiate fund transfers, creating a larger attack surface and higher abuse potential.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The code implements payout creation and payout-status functionality, which are real money-movement operations and exceed the skill’s stated scope of budget requests and x402 payments. In an autonomous agent wallet context, hidden or undocumented payout capabilities materially increase risk because an integrator may authorize the skill for limited payment signing while unknowingly exposing direct transfer primitives.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The CLI help text publicly exposes payout commands that are not reflected in the skill description, indicating a capability mismatch between declared and actual behavior. This is dangerous because downstream users, agents, or policy engines may trust the description for risk-scoping and fail to account for direct payout functionality.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The example shows sending a base64 payment authorization in the X-PAYMENT header directly to an endpoint, but does not place a clear nearby warning that this header is authorization material that may spend budget or be replay-sensitive. In a wallet/payment skill, omission of that warning makes accidental disclosure, logging, copy/paste leakage, or transmission to the wrong host more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Agent credentials including agent_id, token, and JWT are persisted to a local JSON config file under the user’s home directory without any warning, permission hardening, or secure storage mechanism. If the host is multi-user, backed up, synced, or otherwise accessible, theft of these secrets could let an attacker impersonate the agent and authorize wallet operations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The payout command performs a live payment-related API call using the agent’s bearer token and supplied destination/amount with no interactive confirmation, warning, or policy check. In an autonomous agent setting, this makes misuse significantly more dangerous because a prompt-influenced workflow or misconfigured integration could trigger irreversible fund transfers silently.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/fluxa-cli.bundle.js:4