Oathe Security Badge

Is MetEngine/x402-sample-bot safe?

https://github.com/MetEngine/x402-sample-bot

85
SAFE

This skill provides a legitimate cryptocurrency data API client for MetEngine's trading analytics platform. While it handles private keys and executes payment transactions (carrying inherent crypto-related risks), the functionality appears consistent with its stated purpose and shows no evidence of malicious intent.

Category Scores

Prompt Injection 87/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (6)

HIGH Cryptocurrency Private Key Handling -20

The skill includes code that loads and uses Solana private keys for x402 protocol payments. While this appears to be legitimate functionality, private key operations carry inherent security risks.

MEDIUM External API Communication -10

The skill makes HTTP requests to external API endpoints for data retrieval and payment processing. While documented as the primary function, this creates potential data exfiltration vectors.

MEDIUM Payment Transaction Processing -8

The skill executes cryptocurrency payment transactions using the x402 protocol on Solana mainnet, which involves blockchain interactions and USDC transfers.

LOW Agent Memory File Instructions -8

The skill instructs agents to create and maintain persistent memory files at ~/.claude/agents/metengine-memory.md, which could potentially override default agent behavior.

LOW Wallet Security Instructions -5

The skill provides specific instructions about wallet security practices that agents must follow, potentially overriding default security behaviors.

INFO TypeScript Code Execution 0

The skill contains executable TypeScript files that implement API client functionality, which is expected for this type of integration skill.