Back to skill

Security audit

tron-x402-payment

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real TRON payment helper, but it can automatically use wallet credentials, spend tokens, and create long-lived token approvals without a clear confirmation step.

Install only if you intentionally want an agent to spend from a TRON wallet. Use a dedicated low-balance wallet, testnet first, avoid valuable mainnet keys or broad mcporter credentials, review each endpoint and price before use, and revoke token approvals after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares and documents capabilities that access environment secrets, perform network requests, and invoke shell/Node commands, yet it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: an agent or platform may expose sensitive functionality without explicit operator awareness, increasing the chance of secret misuse or unintended outbound actions.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill automatically searches multiple local files, including ~/.mcporter/mcporter.json and unrelated server configs, for TRON private keys and API keys without explicit user consent at invocation time. In an agent context, this expands the trust boundary from provided inputs/environment to the user's filesystem and can cause unintended credential harvesting and spending authority if the tool is invoked against an attacker-controlled endpoint.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill writes arbitrary remote binary or image responses to a temporary file on disk, based solely on the server's response. This can persist untrusted content locally, leak sensitive returned data to other local processes/users depending on temp directory permissions, and create a path that downstream agents or users may open, enabling follow-on abuse.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill states it will perform an infinite TRC20 approval automatically when allowance is insufficient, but it does not require explicit user confirmation or prominently warn that this can grant a spender ongoing access to tokens. If the payee/spender is malicious or later compromised, the wallet could be drained far beyond the cost of a single API call.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The tool automatically discovers and uses TRON private keys and API keys from environment variables and local config files, then performs network payment flows without any user-facing disclosure or consent gate. In an agent setting, this creates a real risk of silent spending and secret use when the skill is invoked indirectly or unexpectedly.

Missing User Warnings

High
Confidence
99% confidence
Finding
When allowance is insufficient, the skill automatically submits an on-chain approve transaction for a very large allowance (maxUint160) without explicit confirmation. This is dangerous because it grants broad token spending power to the payment contract/spender, so a compromised or incorrect spender, contract bug, or malicious endpoint context could lead to unauthorized token drain beyond the immediate payment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code silently searches local config files for sensitive credentials without prominent user-facing disclosure or consent. In a payment skill that can sign TRON transactions, covert credential discovery is especially dangerous because merely invoking the tool may grant access to blockchain spending credentials and paid requests far beyond what the user intended.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution, suspicious.env_credential_access, suspicious.exposed_secret_literal (+1 more)

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
dist/x402_tron_invoke.js:30830

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/x402_tron_invoke.js:21722

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/x402_tron_invoke.js:23459

Potential obfuscated payload detected.

Warn
Code
suspicious.obfuscated_code
Location
dist/x402_tron_invoke.js:2813