Back to skill

Security audit

x402 Paywall Kit

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly open about automating crypto payments, but it gives an agent high-impact spending authority with weak default safeguards.

Review before installing. Use only a dedicated low-balance or testnet wallet, keep a strict domain allowlist, set very low per-request and daily limits, require human approval where possible, and protect the private key and payment logs as sensitive financial data. Treat the bundled Stripe/storefront materials as separate commerce code, not part of the agent auto-payment skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (26)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The listing materially expands the scope beyond the declared skill purpose by advertising server-side Express middleware, merchant/paywall creation features, policy tooling, and logging in addition to client-side automatic payment handling. This creates a supply-chain and review risk: users may install or trust a package expecting only a payment-consumer agent skill, while receiving broader code paths that can modify server behavior, expose payment infrastructure, or introduce unreviewed capabilities.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The integration guide materially expands the skill from automatic x402 paywall payment into a broader ecommerce/payment system by adding Stripe card checkout and email-based fulfillment. This scope drift increases the attack surface and permission expectations beyond the declared skill purpose, making it easier for an agent or operator to introduce payment handling and PII processing that users did not intend when enabling an x402-focused skill.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The guide instructs developers to build custom paid download endpoints and sales flows, which is distinct from merely detecting and paying third-party x402 paywalls. In an agent-skill context, this can mislead deployers about the skill's authority and encourage use as a general payment gateway or product delivery system, increasing risk from unintended transactions and broader backend exposure.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Adding Stripe checkout, webhooks, and email fulfillment introduces unrelated payment processing and post-purchase workflows not justified by the skill's x402 auto-payment description. This broadening is dangerous because it adds sensitive integrations, secret management, and externally triggered webhook logic that can be abused or misconfigured, while users may not expect the skill to handle card payments at all.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The component markets the product as able to auto-detect and pay x402 paywalls, but the implemented USDC path stops after parsing a 402 response and displays that wallet payment is 'coming soon.' This is a security-relevant integrity issue because users or downstream agents may rely on promised automated payment behavior, while the actual flow cannot complete payment and may cause unsafe assumptions about access, billing, or transaction handling in a payment-related skill.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
This file is materially misaligned with the skill’s stated purpose: instead of automatically handling x402 crypto paywall payments, it implements a Stripe product checkout flow for selling an unrelated package and describes post-purchase email delivery. In an agent skill, this kind of hidden or unjustified commerce logic is dangerous because it can redirect user funds, trigger unintended payment flows, or mask unauthorized monetization under the guise of x402 payment handling.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The webhook and product-delivery guidance extends the file beyond payment facilitation into digital product fulfillment, which is not justified by the skill’s declared x402 payment role. In this context, extra post-purchase behavior increases the attack surface and creates ambiguity about what the agent may buy or deliver on a user’s behalf, making misuse or deceptive monetization more plausible.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README promotes automatic payment behavior using a wallet private key from an environment variable, but it does not prominently warn that requests can trigger real on-chain spending or that the private key is highly sensitive. In an agent skill context, this is dangerous because users may enable auto-payment against untrusted endpoints and expose funds or mishandle credentials without understanding the risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This skill performs real-money transactions automatically, yet the documentation presents auto-payment as normal operation and repeatedly uses examples with human approval disabled. In an agent context, that creates a material risk of unintended cryptocurrency spending on attacker-controlled or misconfigured endpoints, especially when 402 responses can be triggered by remote services.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The post promotes automatic payment of crypto paywalls and frames the flow as transparent and seamless, but it does not clearly warn users that real funds may be spent automatically. In an agent-skill context, this is dangerous because users may enable behavior that causes repeated or unintended financial transactions against attacker-controlled or misconfigured endpoints.

Missing User Warnings

High
Confidence
99% confidence
Finding
The sample configuration explicitly sets `requireHumanApproval: false` while demonstrating automatic payments, without any cautionary text about financial risk or abuse scenarios. This lowers user defenses and can normalize unsafe deployment patterns where agents pay arbitrary 402 challenges automatically, potentially draining wallets or paying malicious services.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The tweet copy explicitly promotes fully automatic agent payments ('Zero human intervention') without any warning about wallet use, spending risk, consent, or safe configuration. In the context of a skill whose core purpose is to authorize cryptocurrency payments, this can normalize unsafe deployment and encourage users to enable autonomous spending without understanding financial consequences.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This section markets automatic payment for premium APIs but omits any warning that the agent may sign and submit USDC payments from a connected wallet. Because the skill is specifically designed to bypass 402 payment barriers autonomously, omission of financial-risk messaging makes misuse and accidental wallet drain more likely.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README prominently describes an agent that will automatically pay x402 crypto paywalls, but it does not give a clear upfront warning that running the demo can spend wallet funds. In an agent-skill context, this is dangerous because users may connect funded wallets and execute the demo without fully understanding that payment authorizations and on-chain settlement behavior can occur automatically.

Missing User Warnings

High
Confidence
97% confidence
Finding
The README instructs users to export a raw wallet private key as an environment variable but does not include strong handling warnings or safer alternatives. This creates a real secret-exposure risk because shell history, process inspection, CI logs, screenshots, copied commands, or misconfigured environments can leak the key, enabling full theft of wallet-controlled assets.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The agent is configured with requireHumanApproval set to false, allowing automatic spending whenever a compatible x402 paywall is encountered within policy limits. In an agent context that fetches remote resources, this can lead to unintended or manipulated payments to attacker-controlled or misconfigured endpoints, especially since the demo also defaults to a local HTTP server and auto-pays based on response behavior.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The PRD repeatedly promotes automatic payment and retry behavior using a wallet private key, but the top-level product framing does not prominently warn operators that enabling the skill can spend real funds without per-transaction confirmation. In an agent context, silent auto-payment materially raises the risk of unintended purchases, prompt-driven abuse, or payment to malicious endpoints if policy controls are weak or misconfigured.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The proposed SKILL.md frontmatter asks for `X402_WALLET_PRIVATE_KEY` and advertises automatic paywall handling, but omits a clear warning that installation grants the skill access to a secret capable of authorizing real-value transactions. In the skill ecosystem context, this is especially dangerous because users may install based on the short description alone and not understand that autonomous payments can occur.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README tells users to export a raw wallet private key into an environment variable but does not warn that this secret grants full control over the wallet and may be exposed through shell history, process listings, logs, CI output, or copied terminal sessions. Even though this is framed as a testnet integration flow, normalizing direct private-key handling in documentation increases the chance that users will use real keys or insecure operational practices elsewhere.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly promotes automatic payment retries and payment logging, but it does not prominently warn that using this interceptor can spend real funds and write potentially sensitive transaction metadata to local disk. In an agent context, automatic handling of 402 responses materially increases risk because requests may be triggered by autonomous workflows, causing unintended financial loss or creation of local artifacts without clear operator awareness.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The wrapper automatically retries 402 responses with payment authorization after only checking a local policy, without authenticating the paywall origin or validating that the requested payment is bound to a trusted service. In this skill context, that is more dangerous because the feature is specifically designed to make autonomous payments to arbitrary x402-enabled endpoints, so a malicious or compromised endpoint could induce unwanted spending within policy limits.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly encourages append-only local logging of payment events including URL, amount, network, facilitator, transaction hash, and policy decision, but provides no warning about persistence, retention, or sensitivity of this metadata. In an agent skill that automates crypto payments, this can create an audit trail of spending behavior and transaction metadata that may expose operational patterns, paid endpoints, or sensitive business activity if the file is accessible, backed up, or exfiltrated.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide directs extracting customer email from a checkout session and using it for fulfillment, but provides no notice, consent language, retention guidance, or privacy boundary. In a skill ecosystem, silent collection of personal data is especially risky because the agent operator may enable the skill for x402 payments without expecting PII processing, creating compliance and user-trust issues.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill prominently instructs users to automatically detect and pay x402 paywalls, but does not place a clear, upfront warning near activation/use instructions that real funds may be spent automatically on untrusted endpoints. In an agent context, this is especially risky because any 402-capable external service encountered during autonomous browsing or API use could trigger signing and payment without meaningful operator confirmation or policy constraints.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill prominently advertises automatic payment of x402 paywalls but does not place a strong upfront warning in the metadata/intro that using it can spend real cryptocurrency on remote endpoints. In an agent context, this is dangerous because the feature is explicitly designed to react to untrusted 402 responses from arbitrary services, so operators may enable it without realizing it can authorize real USDC transfers automatically.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
integration/base-sepolia.test.ts:31