agent-payment-x402
Pass
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill utilizes the
agentwallet-sdkpackage from the npm registry. The documentation includes security warnings regarding supply-chain risks and explicitly recommends pinning version6.0.0for safety. - [COMMAND_EXECUTION]: The skill configures an MCP server using
npxto execute the payment SDK. The provided TypeScript example demonstrates secure subprocess invocation by whitelisting only necessary environment variables (e.g.,WALLET_PRIVATE_KEY) rather than exposing the entire parent environment. - [CREDENTIALS_UNSAFE]: The skill manages private keys for blockchain transactions. It follows security best practices by instructing users to use environment variables for secret storage and providing validation logic to ensure keys are present before starting services.
- [SAFE]: The skill includes defensive code patterns, such as a
preToolCheckhook that validates input types, checks spending limits before every transaction, and implements fail-closed logic to block actions if the payment service is unreachable.
Audit Metadata