Trust Assessment
x402-client received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 14 findings: 1 critical, 1 high, 9 medium, and 2 low severity. Key findings include Network egress to untrusted endpoints, Sensitive environment variable access: $HOME, Unpinned npm dependency version.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 46/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings14
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Plaintext Private Key Storage The skill stores the generated EVM wallet's private key in plaintext within `~/.x402/wallet.json`. Although file permissions are set to `0o600` (owner-only), any local process with read access to the user's home directory or a compromised local application could easily exfiltrate this private key, leading to complete compromise of the associated cryptocurrency funds. The `wallet-create.js` script explicitly notes this as a 'TODO: encrypt with passphrase in v2', confirming the current insecure storage. Implement robust encryption for the private key before storing it on disk. The passphrase collected from the user should be used to encrypt the private key, and the private key should only be decrypted in memory when needed for signing transactions. Consider using a secure key management system or hardware security module (HSM) for production environments. | LLM | scripts/wallet-create.js:64 | |
| HIGH | Unverified Payments in Server Middleware The `createPaywall` middleware in `lib/server.js` explicitly states that it 'does NOT verify payment on-chain' and 'For testnet/development, the presence of a signed payment header is accepted.' The `options.verify` flag is `false` by default and has a `TODO` for actual verification. This means that if this skill is used to 'sell services' in a production environment, any client can bypass the paywall by sending a syntactically valid but unverified payment signature header, without actually making a payment. This renders the paywall ineffective for real value transfer. For production use, implement a robust payment verification mechanism. This typically involves integrating with a payment facilitator (like Coinbase's x402 facilitator) to verify the on-chain transaction corresponding to the payment signature. The `options.verify` flag should be enabled and the `TODO` for verification completed before deploying to a production environment where actual value is exchanged. | LLM | lib/server.js:160 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/samoppakiks/x402-client/scripts/test-e2e.js:63 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/samoppakiks/x402-client/scripts/test-e2e.js:110 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/samoppakiks/x402-client/scripts/test-e2e.js:136 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/samoppakiks/x402-client/scripts/test-e2e.js:143 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/samoppakiks/x402-client/scripts/test-e2e.js:171 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/samoppakiks/x402-client/scripts/test-e2e.js:195 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/samoppakiks/x402-client/scripts/setup.sh:6 | |
| MEDIUM | Unpinned npm dependency version Dependency '@x402/core' is not pinned to an exact version ('latest'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/samoppakiks/x402-client/package.json | |
| MEDIUM | Unpinned Dependencies in package.json The `package.json` file uses `"latest"` for several critical dependencies, including `@x402/core`, `@x402/evm`, `@x402/express`, and `@x402/fetch`. This practice means that `npm install` will always fetch the newest available version, which could introduce breaking changes, unexpected behavior, or even malicious code if a package maintainer's account is compromised or a typosquatting attack occurs. This lack of version pinning makes the build non-deterministic and vulnerable to supply chain attacks. Pin all dependencies to specific versions (e.g., `"^1.0.0"` or `"1.0.0"`) to ensure deterministic builds and prevent unexpected updates. Regularly review and update dependencies to incorporate security patches and new features, but do so in a controlled manner after testing. | LLM | package.json:8 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/samoppakiks/x402-client/package.json | |
| LOW | Insecure Logging of Raw HTTP Response Body In `scripts/pay-request.js`, when a dry run is performed and no payment is needed (i.e., the HTTP status is not 402), the script logs the entire raw HTTP response body to the console using `console.log(text)`. If the accessed service returns sensitive information (e.g., API keys, user data, internal system details) in its response body, this information could be inadvertently exposed in logs or to users viewing the console output. Avoid logging raw HTTP response bodies directly to the console, especially for non-error cases. Instead, parse the response and log only relevant, non-sensitive information, or provide an option for verbose logging that is disabled by default. Implement redaction or masking for any potentially sensitive data before logging. | LLM | scripts/pay-request.js:105 | |
| INFO | Skill Content Treated as Untrusted Input The entire skill package content, including `SKILL.md` and all supporting files, is enclosed within `<!---UNTRUSTED_INPUT_START_...--->` and `<!---UNTRUSTED_INPUT_END_...--->` delimiters. This indicates that the skill itself is considered untrusted input by the analyzer. No explicit prompt injection attempts (e.g., 'ignore previous instructions') were found within this untrusted content that would manipulate the host LLM's instructions. No remediation needed for the skill itself, as this is an informational finding about the analysis context. This confirms the analyzer's adherence to its prompt injection defense mechanisms. | LLM | SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/f3f20a389147185c)
Powered by SkillShield