agent-payment-x402

Pass

Audited by Gen Agent Trust Hub on May 13, 2026

Risk Level: SAFE
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill utilizes the agentwallet-sdk package from the npm registry. The documentation includes security warnings regarding supply-chain risks and explicitly recommends pinning version 6.0.0 for safety.
  • [COMMAND_EXECUTION]: The skill configures an MCP server using npx to execute the payment SDK. The provided TypeScript example demonstrates secure subprocess invocation by whitelisting only necessary environment variables (e.g., WALLET_PRIVATE_KEY) rather than exposing the entire parent environment.
  • [CREDENTIALS_UNSAFE]: The skill manages private keys for blockchain transactions. It follows security best practices by instructing users to use environment variables for secret storage and providing validation logic to ensure keys are present before starting services.
  • [SAFE]: The skill includes defensive code patterns, such as a preToolCheck hook that validates input types, checks spending limits before every transaction, and implements fail-closed logic to block actions if the payment service is unreachable.
Audit Metadata
Risk Level
SAFE
Analyzed
May 13, 2026, 03:29 AM
Security Audit — agent-trust-hub — agent-payment-x402