Is 0juano/bondterminal-x402 safe?

https://github.com/openclaw/skills/tree/main/skills/0juano/bondterminal-x402

88
SAFE

This skill is a legitimate BondTerminal API integration using Coinbase's x402 pay-per-call protocol. It contains no prompt injection, hidden code execution, or data exfiltration attempts. The primary concern is financial: the skill automates $0.01 USDC cryptocurrency payments per API call without per-request user consent, and requires a funded wallet's private key in the environment. The skill is honest about its purpose and costs, but users should be aware that an agent following these instructions will spend real money autonomously.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 68/100 · 5%

Findings (7)

MEDIUM Automated cryptocurrency payments without per-call consent -20

The skill implements an automatic 402-to-payment-to-retry flow. When the agent calls any x402-protected endpoint and receives a 402 response, it automatically signs an EIP-3009 transferWithAuthorization and retries — spending $0.01 USDC per call. There is no mechanism for per-call user approval. An agent performing a comprehensive bond analysis (e.g., fetching all 60+ bonds, then analytics/cashflows/history for each) could spend $2-5+ in a single conversation without explicit per-request user consent.

LOW Private key required in environment variable -10

The signer setup requires storing an EVM private key (controlling a wallet with USDC balance) in the X402_PRIVATE_KEY environment variable. While the skill advises using a secrets manager, the code example reads directly from process.env. This private key controls real funds and would be accessible to any process or skill with environment variable access in the same session.

LOW Payment signatures sent to external endpoint -5

Each paid API call sends a signed EIP-3009 transferWithAuthorization to bondterminal.com via the PAYMENT-SIGNATURE header. This includes the wallet address and a valid payment authorization. While this is the intended x402 protocol behavior, it constitutes sending financial credentials to a third-party server.

LOW npm install of third-party packages with potential postinstall scripts -10

The skill instructs installing @x402/core, @x402/evm (Coinbase packages), and viem (Ethereum library). While these are legitimate, well-known packages, their transitive dependency trees could include packages with postinstall scripts that execute code during installation.

INFO External documentation URLs referenced -5

The skill references several external URLs as documentation links: bondterminal.com/developers, github.com/coinbase/x402, viem.sh/docs. These are passive references for developer context, not instructions for the agent to fetch during operation.

INFO Version mismatch between metadata and skill content -2

The _meta.json file reports the latest version as 0.2.1, while the SKILL.md frontmatter declares version 2.1.0. This is likely a formatting inconsistency (semver interpretation) rather than evidence of tampering, but it indicates imprecise version management.

INFO Clean install with no anomalous activity -5

Clone and install process produced only expected network traffic (GitHub, Ubuntu system services) and filesystem activity (JIT cache, system file reads). No firewall-blocked connections, no unexpected processes spawned.