Trust Assessment
x402 received a trust score of 84/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 0 medium, and 1 low severity. Key findings include Unpinned dependencies in installation instructions, Insecure handling of private keys via environment variables.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings2
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Insecure handling of private keys via environment variables The provided examples instruct users to load `EVM_PRIVATE_KEY` and `SVM_PRIVATE_KEY` directly from environment variables. While convenient for development, storing private keys in plain text environment variables is highly insecure for production environments. These keys can be exposed through process listings, logs, or by other processes on the same system, leading to potential compromise of associated cryptocurrency wallets. Advise users against storing private keys directly in environment variables for production. Recommend using more secure methods such as hardware security modules (HSMs), cloud secret management services (e.g., AWS Secrets Manager, Azure Key Vault, Google Secret Manager), or encrypted key stores that require explicit decryption. | LLM | SKILL.md:77 | |
| LOW | Unpinned dependencies in installation instructions The provided `npm install` and `pip install` commands in the examples do not specify exact versions for dependencies. This practice can lead to non-deterministic builds, unexpected breaking changes, or the introduction of vulnerabilities if a dependency's latest version is compromised or contains a bug. For production environments, it is a best practice to pin exact versions to ensure stability and security. Advise users to pin exact versions for all dependencies (e.g., `npm install package@1.2.3` or `pip install package==1.2.3`) and utilize lock files (`package-lock.json`, `requirements.txt` with hashes, `Pipfile.lock`, `poetry.lock`) to ensure deterministic and secure builds. | LLM | SKILL.md:70 |
Scan History
Embed Code
[](https://skillshield.io/report/c6addb52374ab54a)
Powered by SkillShield