Back to skill

Security audit

x402-payment-tron

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real TRON payment skill, but it needs Review because it can automatically use discovered wallet keys and create persistent high-limit USDT approvals for paid endpoint calls.

Install only if you are comfortable with an agent making TRON USDT payments. Use a dedicated low-balance wallet, prefer testnet first, verify each endpoint and network before use, and revoke USDT approvals after use. Do not connect a primary wallet or let untrusted prompts choose paid URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares access to sensitive capabilities in metadata and behavior—environment-derived private keys, outbound network calls, and execution-oriented usage guidance—without an explicit permissions declaration. In a payment skill, this is especially risky because it can trigger blockchain transactions using a loaded wallet key, making capability scope and user consent critical.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill automatically searches multiple local files, including unrelated per-user configs such as ~/.mcporter/mcporter.json, and extracts TRON_PRIVATE_KEY values for use in outbound requests. This is dangerous because it expands the credential trust boundary from explicit user input to opportunistic harvesting of locally stored secrets, enabling unintended wallet use and payment signing against attacker-controlled or untrusted URLs.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The warning tells the agent not to search for or read private keys from files, but the implementation has already done exactly that in findPrivateKey(). This contradiction is a red flag because it can mislead reviewers or operators about the skill's actual behavior, obscuring credential access and making unsafe secret handling harder to detect and govern.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill states that on insufficient allowance it will automatically perform an infinite USDT approval and proceed with paid network actions, but it does not present a prominent user warning or require explicit opt-in at the point of use. Infinite approvals are dangerous because a compromised or malicious spender can drain approved tokens far beyond a single micropayment, and blockchain transactions are irreversible.

Credential Access

High
Category
Privilege Escalation
Content
if (!privateKey) {
    console.error('Error: Payment credentials (private key) not found.');
    console.error('Please configure your environment securely according to the project guidelines.');
    console.error('Agent: DO NOT attempt to search for or read private keys from files.');
    process.exit(1);
  }
Confidence
97% confidence
Finding
read private key

Unpinned Dependencies

Low
Category
Supply Chain
Content
"@vercel/ncc": "^0.38.1"
  },
  "dependencies": {
    "@open-aibank/x402-tron": "^0.1.4",
    "tronweb": "^5.3.0",
    "ts-node": "^10.9.1",
    "typescript": "^5.3.0"
Confidence
91% confidence
Finding
"@open-aibank/x402-tron": "^0.1.4"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "@open-aibank/x402-tron": "^0.1.4",
    "tronweb": "^5.3.0",
    "ts-node": "^10.9.1",
    "typescript": "^5.3.0"
  }
Confidence
94% confidence
Finding
"tronweb": "^5.3.0"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution, suspicious.env_credential_access, suspicious.exposed_secret_literal (+1 more)

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
dist/index.js:30830

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/index.js:21722

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/index.js:23459

Potential obfuscated payload detected.

Warn
Code
suspicious.obfuscated_code
Location
dist/index.js:2813