Skills
skills/cryptorefills/agents/cryptorefills-x402/Snyk

cryptorefills-x402

Warn

Audited by Snyk on May 9, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches and decodes live responses from external hosts (e.g., GET /v1/brands, GET /v1/catalog and the Phase‑1 POST /v1/orders that returns the PAYMENT-REQUIRED header and references /.well-known/x402.json on x402.cryptorefills.com and solana.x402.cryptorefills.com), and those untrusted third‑party fields (payTo, extra.feePayer, maxAmountRequired, payload.transaction, etc.) are parsed and acted on to construct/sign payments, so remote content can directly change the agent's actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 1.00). The skill issues runtime requests to https://x402.cryptorefills.com (and the Solana-hosted https://solana.x402.cryptorefills.com) to retrieve PAYMENT-REQUIRED headers (base64url JSON) that directly instruct the agent how to build/sign transactions and must be fetched to complete Phase 2, so these endpoints are runtime external dependencies that directly control agent actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is explicitly a payment-execution integration for crypto rails (Base EVM USDC and Solana USDC SPL). It details end-to-end steps to move funds: create a Phase-1 order to receive PAYMENT-REQUIRED, verify amounts, build EIP-712 / EIP-3009 authorizations for USDC on Base, or construct and partial-sign Solana v0 transactions (TransferChecked) against a USDC mint, then submit PAYMENT-SIGNATURE to settle the order. It names contract/mint addresses, signing primitives, nonce/expiry rules, exact transaction instruction shapes, and HTTP endpoints to submit signed payments. This is not a generic API caller or browser automation—its primary and explicit purpose is to authorize and execute crypto payments, i.e. direct financial execution.

Issues (3)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
MEDIUM
Analyzed
May 9, 2026, 10:24 PM
Issues
3