x402-on-skale

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The agent client code shown in SKILL.md and references/client.md explicitly fetches arbitrary third-party URLs (e.g., fetch(url)), parses response.json() and response headers to derive a paymentRequired payload and then creates/uses payment headers—meaning untrusted API responses from those URLs are read and directly drive subsequent payment actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed for on-chain payments. It defines x402 payment flows on SKALE, lists token contract addresses and network IDs, and provides facilitator client endpoints (e.g., facilitator.payai.network). The server and client code show concrete payment operations: paymentMiddleware with payTo, price (amount + asset), and an HTTPFacilitatorClient; the agent client uses privateKeyToAccount, createPaymentPayload, and encodePaymentSignatureHeader to sign/send payment headers. It even references ERC-3009 (TransferWithAuthorization) and agent-to-agent payments. These are specific crypto wallet/payment primitives intended to move value, not generic tooling.