Back to skill

Security audit

Simmer X402

Security checks across malware telemetry and agentic risk

Overview

This skill openly makes real crypto payments, but it gives agents broad automatic spending and blockchain RPC ability that users should review carefully before installing.

Install only with a dedicated low-balance wallet, a tight X402_MAX_PAYMENT_USD value, and trusted call sites. Prefer dry-run or manual approval workflows, avoid treasury or trading wallets, and be cautious using the generic Quicknode RPC command in unattended agents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill requires access to environment variables and network resources, including a wallet private key and outbound requests to third-party endpoints, yet no permissions are explicitly declared. This undermines least-privilege review and can cause an agent framework or operator to grant broader capabilities than expected, especially given the skill can initiate paid transactions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose frames the skill as handling x402 payments for paid content, but the documented behavior is materially broader: wallet balance inspection, SIWE/JWT authentication, and arbitrary multi-network JSON-RPC access. This mismatch can mislead reviewers and users into authorizing a skill that effectively has wider blockchain and data-access capabilities than advertised, increasing the risk of abuse or unintended spending/exfiltration.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill is presented as a payment helper for gated APIs/content, but it also exposes a generic Quicknode-backed JSON-RPC capability for arbitrary blockchain networks. This materially broadens the skill's power beyond its declared purpose, increasing the chance that an orchestrating agent or user invokes unintended blockchain operations under the same wallet context.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The CLI accepts attacker- or caller-controlled network and method names and forwards arbitrary JSON-RPC calls after authenticating with the wallet, which creates a broad primitive for interacting with third-party blockchain infrastructure outside the advertised use case. Even if the current transport is intended for paid RPC access, unrestricted method execution can enable sensitive wallet-linked actions, unexpected charges, or abuse of the authenticated session.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
On a 402 response, the code proceeds to initialize the x402 client and retry with payment automatically, without an interactive confirmation or a mandatory caller-supplied authorization at the moment funds are about to be spent. In an agent setting, this is risky because untrusted URLs or manipulated payment challenges can trigger real on-chain spending with only a configurable cap as the safeguard.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.