agentic-payments
Warn
Audited by Snyk on May 12, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The skill's buyer/client workflow (e.g., the "Buyer: agent client" x402 example with x402HTTPClient.fetch and the MPP examples using mppx.fetch) performs HTTP fetches and 402 negotiation against remote sellers/facilitators (e.g., arbitrary resource URLs and the FACILITATOR_URL), meaning the agent will ingest and act on untrusted third-party responses as part of its runtime payment-and-fetch flow.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly and specifically designed to perform machine-to-machine payments on Stellar. It includes concrete payment APIs and code paths that move value: x402 payment flows (building Soroban SAC USDC transfers, facilitator /settle calls), buyer/client code that signs auth entries with secret keys, MPP Charge mode that creates on-chain Soroban SAC transfers, and MPP Channel mode that deploys channels, deposits USDC, signs cumulative commitments, and calls close() to settle on-chain. The docs reference specific packages and functions (e.g., @x402/*, paymentMiddlewareFromConfig, HTTPFacilitatorClient, x402HTTPClient, createEd25519Signer, @stellar/mpp charge/channel modules, and stellar.close()) and require secret keys, fee payer keys, and recipient addresses—all concrete primitives for sending and settling money (USDC on Stellar). This is a targeted payment capability (crypto/blockchain wallet transfers and settlement), not a generic tool, so it grants direct financial execution authority.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata