Trust Assessment
x402-paywall received a trust score of 21/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 2 critical, 2 high, 2 medium, and 0 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Unpinned npm dependency version.
The analysis covered 4 layers: manifest_analysis, llm_behavioral_safety, static_code_analysis, dependency_graph. The llm_behavioral_safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 11, 2026 (commit 2d760915). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /tmp/skillscan-clone-tfgm3r4y/repo/scripts/buy-demo.js:8 | |
| CRITICAL | Supply Chain Risk: Dependencies Reference Non-Existent Package Versions The `package.json` file lists multiple dependencies and devDependencies with versions that do not exist in the public npm registry (e.g., `ethers@^6.16.0`, `helmet@^8.1.0`, `@types/node@^25.2.2`). This is a major security red flag. It could indicate a dependency confusion attack targeting a private registry, or it could be preparation for a future supply chain attack where an attacker publishes these specific versions containing malicious code. The entire dependency tree is untrustworthy. Verify the source of all dependencies. Pin each dependency to a specific, known-good version hash in `package.json`. Remove the caret `^` prefix and use exact versions that are confirmed to exist in the public registry. Regenerate the `package-lock.json` file after correcting the versions. | Unknown | package.json:40 | |
| HIGH | Insecure Private Key Storage in Filesystem Multiple utility scripts within the package (`scripts/deploy.js`, `examples/buyer-agent-v2.ts`, `examples/buyer-agent.js`) write sensitive private keys to plaintext JSON files on the filesystem (e.g., `scripts/.wallet.json`). This creates a significant risk of credential theft. If an agent running this skill has filesystem write permissions, it could be instructed to execute these scripts, leaving private keys in predictable, insecure locations accessible to other processes or users on the system. Remove all code that writes private keys to the filesystem. Private keys should be managed securely as environment variables or through a dedicated secrets management service. Demo scripts should instruct the user to provide keys via environment variables, not create wallet files. | Unknown | scripts/deploy.js:80 | |
| HIGH | Undeclared Filesystem Access Contradicts Manifest The skill's manifest in `SKILL.md` explicitly declares `"filesystem": false`, indicating it does not require filesystem access. However, numerous scripts (`scripts/deploy.js`, `scripts/attest-demo.ts`, `examples/buyer-agent.js`, etc.) make use of the Node.js `fs` module to read and write files. This is a serious policy violation that misleads the user and the agent runtime about the skill's behavior. It enables the skill to perform potentially harmful, undeclared file operations. Update the skill manifest to accurately reflect its need for filesystem access by setting `"filesystem": true`. Alternatively, if filesystem access is not essential for the core skill functionality (and only used by auxiliary scripts), refactor the skill to remove all `fs` module usage from the code that the agent would execute. | Unknown | SKILL.md:10 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Unknown | /tmp/skillscan-clone-tfgm3r4y/repo/test/integration.test.js:69 | |
| MEDIUM | Unpinned npm dependency version Dependency '@openzeppelin/contracts' is not pinned to an exact version ('^5.4.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Unknown | /tmp/skillscan-clone-tfgm3r4y/repo/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/ff7f81f4a774bcb5)
Powered by SkillShield