Security audit

x402 Singularity Layer

Security checks across malware telemetry and agentic risk

Overview

The skill broadly matches its stated crypto-payment purpose, but it can spend funds, sign blockchain transactions, and delete or revoke account resources with limited built-in confirmations.

Install only if you intend to give this skill financial and owner-scoped authority. Use low-balance or delegated wallets, scoped API keys/PATs, trusted default service URLs, and inspect every payment, staking, registration, delete, webhook, campaign, or XMTP revocation action before allowing an agent to run it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (17)

Tainted flow: 'result' from requests.get (line 284, network input) → requests.get (network output)

Medium

Category: Data Flow
Content: filename = "downloaded_product" print(f"\nDownloading file to: {filename}") file_response = requests.get(result["downloadUrl"]) if file_response.status_code == 200: with open(filename, "wb") as f: f.write(file_response.content)
Confidence: 94% confidence
Finding: file_response = requests.get(result["downloadUrl"])

Tainted flow: 'BASE' from os.getenv (line 38, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: def _post(path: str, body: dict) -> dict: r = requests.post(f"{BASE}{path}", json=body, timeout=TIMEOUT) data = r.json() if not r.ok: msg = data.get("error", data)
Confidence: 86% confidence
Finding: r = requests.post(f"{BASE}{path}", json=body, timeout=TIMEOUT)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script implements fundraiser campaign management capabilities that are not described in the stated skill metadata, which broadens the skill's effective authority beyond the documented scope. In an agent setting, this kind of hidden or undocumented functionality is dangerous because users and orchestrators may invoke the skill under false assumptions and unintentionally perform privileged owner-scoped operations against unrelated resources.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The helper exposes a `revoke-others` command that invalidates all other XMTP installations for the wallet, which is a destructive account-management action. In an agent skill context that may be invoked by higher-level automation, this can be triggered without the operator fully understanding that it will disconnect other devices or sessions, creating availability and account-recovery risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The reference explicitly instructs use of sensitive signing credentials such as PRIVATE_KEY and SOLANA_SECRET_KEY without any accompanying warning about secure storage, non-logging, least-privilege handling, or safer alternatives. In this skill’s context, those secrets authorize on-chain registrations and updates, so poor handling could directly lead to wallet compromise and unauthorized transactions across supported networks.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The reference explicitly includes a destructive action (`delete_endpoint`) in the recommended MCP tool mapping but provides no guidance to require explicit user confirmation, dry-run preview, or ownership verification before invoking it. In an agent skill that performs owner-scoped infrastructure management, this omission increases the risk of accidental or prompt-induced destructive operations against production endpoints.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The document includes code that performs local private-key signing and then sends the resulting authorization to a remote endpoint without any explicit warning about secret handling, trusted endpoint validation, or the financial consequences of signing. In this skill’s context, those signatures authorize USDC payments, so unclear guidance can lead users or downstream agents to expose keys, sign unintended payment payloads, or transmit value-bearing authorizations to attacker-controlled endpoints if the URL/challenge is spoofed.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The reference shows direct EIP-712 signing with a raw private key but provides no warning or operational safeguards around secret handling, storage, logging, or environment isolation. In a skill explicitly designed to handle payments and optional privileged credentials, this omission can lead users or downstream agents to expose signing keys in unsafe ways, resulting in wallet compromise and unauthorized transfers.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The reference explicitly requires `PRIVATE_KEY` and gives wallet-auth commands, but it does not warn that this secret must only be supplied through secure secret storage and must never be pasted into chat, logs, or shared environments. In this skill context, the capability enables real wallet signing on blockchain networks, so unclear credential-handling guidance increases the risk of key exposure and unauthorized transactions if an agent or user handles the secret unsafely.

Missing User Warnings

Low

Confidence: 76% confidence
Finding: The file documents commands to send XMTP messages and revoke other installations, but it does not state that these are state-changing actions with user-visible effects. In context, revoking installations can disrupt access on other devices and sending messages can contact counterparties, so an agent could trigger unwanted communication or service interruption without adequate confirmation guidance.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The script transmits the user's wallet address to whatever endpoint URL is supplied, with no trust validation, allowlist, or explicit consent step at execution time. While a wallet address is not a secret key, it is still sensitive metadata that can be used for tracking, correlation, and deanonymization, especially across chains and services.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The create and update flows directly perform authenticated POST/PATCH requests that change remote state without any built-in confirmation, dry-run, or user acknowledgment step. In an agent environment, that increases the risk of prompt-induced or accidental actions creating or modifying campaigns with real operational and reputational consequences.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The CLI performs irreversible endpoint deletion immediately when the delete subcommand is invoked, with no confirmation prompt, dry-run mode, or explicit danger acknowledgement. In an agentic or scripted environment, a mistaken slug, prompt injection into a higher-level agent workflow, or operator error could cause unintended destructive actions against monetized endpoints.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script sends the user's Solana wallet address in a custom HTTP header to the remote endpoint, which exposes identifying wallet metadata to the API operator and any intermediaries if transport security is downgraded or misconfigured. In a wallet-first/on-chain identity context, this creates a privacy leak and enables correlation of API usage with a specific blockchain identity.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The EVM path signs and broadcasts on-chain transactions immediately after receiving transaction parameters from a remote prepare/finalize API, without any explicit user confirmation, transaction summary, or policy gate in this code path. In a skill that can use private keys for wallet-first registration, this increases the risk of unintended or manipulated blockchain actions if upstream API responses, inputs, or invocation context are wrong or compromised.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The Solana flow submits a prepared base64 transaction from a remote API and signs it with local keys, including an extra generated signer, without surfacing the instructions for user review or requiring approval. In the context of a wallet-enabled agent skill, blindly signing server-prepared transactions is dangerous because a compromised or buggy API could cause unauthorized state changes or fund-impacting actions.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The revocation flow performs an irreversible or hard-to-undo security-sensitive action with no warning, confirmation, dry-run, or preview of affected installations. In an agent-operated environment, this increases the chance of accidental self-lockout or disruption of legitimate support/chat workflows across devices.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical

Code: suspicious.env_credential_access
Location: scripts/xmtp_support.mjs:11