Back to skill

Security audit

x402 Quickstart

Security checks across malware telemetry and agentic risk

Overview

This skill coherently creates a paid API scaffold, with the main risks being ordinary public-exposure and third-party registration considerations.

Review the generated server before exposing it, use only a public recipient wallet address, add rate limits and input validation, and do not publish it through Cloudflare Tunnel or register it with Spraay until you intend the endpoint and metadata to be public.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to expose a local service through Cloudflare Tunnel without warning that this makes the service publicly reachable on the internet. In this context, the exposed service is a payment-gated API scaffold that may be run quickly with default settings, increasing the risk of unintended exposure, weak auth, debugging endpoints, or access to sensitive local resources.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The skill recommends registering the endpoint with a third-party gateway without warning that endpoint metadata will be transmitted externally and may increase discoverability by unknown agents. While the data shown is limited, publishing the URL, category, and price can expose service inventory and facilitate unwanted traffic or targeting.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.