x402

Pass

Audited by Gen Agent Trust Hub on Jul 6, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes subprocess.Popen within scripts/monetize.py, scripts/verify_setup.py, and scripts/keepalive.sh to start and monitor the monetization gateway and facilitator processes. These operations are functional requirements for its role as a reverse-proxy sidecar.
  • [EXTERNAL_DOWNLOADS]: The skill interacts with external payment facilitators and Ethereum RPC endpoints (e.g., starchild-x402-facilitator.fly.dev) to verify transaction signatures and perform payment settlements on the Base network.
  • [CREDENTIALS_UNSAFE]: The skill manages local private key files (.x402/buyer.key and .x402/facilitator/settler.key) used for cryptographic signing of authorizations and transaction gas payments. These files are secured with restricted filesystem permissions (0600).
  • [SAFE]: The automated security alert regarding urllib.request.urlopen is a false positive, as it identifies local health checks performed against 127.0.0.1 used for service monitoring.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 6, 2026, 01:32 PM
Security Audit — agent-trust-hub — x402