Is x402-payment-tron safe?

https://clawhub.ai/Hades-Ye/x402-payment-tron

40
DANGEROUS

This skill grants an AI agent autonomous cryptocurrency payment capabilities with an extremely dangerous infinite approval pattern that can drain an entire USDT wallet. The bundled executable depends on an obscure, low-version npm package (@open-aibank/x402-tron) that cannot be meaningfully audited in its webpack-bundled form. The SKILL.md contains behavioral override instructions that suppress the agent's ability to investigate what the skill does with private keys, creating dangerous blind spots.

Category Scores

Prompt Injection 55/100 · 30%
Data Exfiltration 20/100 · 25%
Code Execution 35/100 · 20%
Clone Behavior 75/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 15/100 · 5%

Findings (9)

CRITICAL Infinite USDT approval grants unlimited spending authority -40

The skill performs MAX_UINT256 approval to a USDT smart contract when allowance is insufficient. This is an irrevocable on-chain transaction that allows the approved contract to drain the entire USDT balance from the wallet at any time, even after the skill is removed. This is a well-known DeFi attack pattern.

CRITICAL AI agent authorized to make autonomous cryptocurrency payments -50

The skill gives an AI agent the power to send real cryptocurrency (USDT) to arbitrary endpoints. Combined with prompt injection from any other source in the conversation, an attacker could direct payments to their own services. The agent cannot verify pricing fairness or detect overcharging.

HIGH Broad private key search across multiple filesystem locations -25

The skill searches for TRON private keys in four different locations including the home directory and current directory. This broad search pattern accesses sensitive credential stores beyond what a narrowly-scoped skill should need.

HIGH Opaque bundled executable with unauditable dependencies -35

dist/index.js is a webpack-bundled file containing all dependencies in a single obfuscated file. The source dependency @open-aibank/x402-tron is a low-version package (0.1.4) from an unknown publisher. The bundled output cannot be meaningfully audited for malicious behavior.

HIGH Behavioral override instructions suppress agent investigation -30

The SKILL.md contains multiple directives that override normal agent behavior: prohibiting the agent from displaying private keys, from running shell commands with keys, and from searching for keys when errors occur. While framed as security measures, these instructions create blind spots that prevent the agent (and user) from understanding what the skill does with credentials.

MEDIUM Arbitrary URL request capability enables data exfiltration -15

The x402_tron_invoke tool sends HTTP requests to any user-specified URL with POST body support. If an attacker can influence the URL or body parameters (via prompt injection or social engineering), sensitive data from the conversation context could be exfiltrated via the request.

MEDIUM AWS credentials file accessed during installation -25

Filesystem monitoring detected access to /home/oc-exec/.aws/credentials during the skill installation process. While this may be incidental to the install harness, a skill installation should not need to read AWS credential files.

MEDIUM Agent instructed to delete temporary files covering audit trail -15

The skill instructs the agent to delete temporary files created for binary/image responses. This could be used to eliminate evidence of data that was staged or exfiltrated through the skill.

LOW Runtime code compilation via jiti during installation -5

Multiple jiti cache files were created in /tmp during installation, indicating runtime TypeScript-to-JavaScript compilation. This adds an additional layer of code transformation that could mask malicious behavior.