Back to skill

Security audit

Agentic X402

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent for x402 crypto payments, but it gives an agent persistent wallet-key access and can trigger real-money payments with limited built-in safeguards.

Install only if you intentionally want an agent to make crypto payments. Use a fresh low-balance wallet, start on testnet, set a low spending limit, avoid sensitive headers or request bodies, use trusted payment URLs only, and review link/router distribution behavior before relying on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This command adds a privileged on-chain fund distribution capability that is not disclosed in the skill description, creating a dangerous mismatch between stated and actual behavior. In an agentic setting, hidden or under-documented money-moving functionality increases the risk of unintended invocation, user surprise, and unauthorized treasury movement if an agent or operator assumes the skill is limited to making payments for resource access.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly documents automatic payment behavior for arbitrary URLs but does not place a prominent warning near the command usage that the action may spend real USDC and transmit request data to third-party endpoints. In an agent skill context, this omission is meaningful because an autonomous agent may invoke the command from a 402 response path without strong human awareness of financial and privacy consequences.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The fetch command is described as automatically handling 402 payment flows, but the surrounding documentation does not clearly warn that using it can trigger outbound transmission and paid transactions against third-party services. Because this is marketed for agents and scripts, the lack of an explicit warning increases the chance of silent spending or disclosure of request content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill promotes automatic payment handling for arbitrary URLs without a prominent warning that funds may be spent and request contents may be transmitted to third-party services. In an agent context, this can cause unintended financial loss and exfiltration of request data when a model follows generalized 'fetch' instructions against untrusted endpoints.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to place a raw private key in an environment variable and write it directly to a .env file without strong warnings about shell history, logs, clipboard leakage, and process exposure. This materially increases the chance of wallet compromise, especially in agentic or shared-shell environments where commands may be logged or echoed.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The example configuration defaults X402_NETWORK to mainnet, which directs users toward real-money transactions unless they notice and change it. In a payment-oriented skill that uses a private key to authorize crypto payments, insecure defaults materially increase the chance of unintended financial loss during setup, testing, or automation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code initializes a signing account directly from a configured EVM private key and then exposes payment-capable clients globally through a singleton. In a skill specifically designed to make x402 payments, that means the skill can spend funds without any explicit user confirmation, disclosure, or local guardrails in this file, increasing the risk of unintended or opaque financial transactions if the skill is misused or invoked unexpectedly.

Credential Access

High
Category
Privilege Escalation
Content
// Priority: env vars > local .env > global ~/.x402/.env
  const envPaths = [
    resolve(globalConfigDir, '.env'),
    resolve(cwd, '.env'),
  ];

  for (const envPath of envPaths) {
Confidence
74% confidence
Finding
.env'

Session Persistence

Medium
Category
Rogue Agent
Content
### Configure

Run the interactive setup to create a new wallet:

```bash
x402 setup
Confidence
90% confidence
Finding
create a new wallet: ```bash x402 setup ``` This will: 1. Generate a new wallet (recommended) or accept an existing key 2. Save configuration to `~/.x402/.env` 3. Display your wallet address for fun

Session Persistence

Medium
Category
Rogue Agent
Content
### Recovery

```bash
mkdir -p ~/.x402
echo "EVM_PRIVATE_KEY=0x...your_backed_up_key..." > ~/.x402/.env
chmod 600 ~/.x402/.env
x402 balance  # verify
Confidence
88% confidence
Finding
mkdir -p ~/.x402 echo "EVM_PRIVATE_KEY=0x...your_backed_up_key..." > ~/.x402/.env chmod 600 ~/.x402/.env x402 balance # verify ``` ## Security Best Practices - **Use a dedicated wallet** — Never us

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
bin/cli.ts:133

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
bin/x402.js:37

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/commands/setup.ts:148