Is aaitor/nevermined-payments safe?

https://github.com/openclaw/skills/tree/main/skills/aaitor/nevermined-payments

95
SAFE

This skill is a comprehensive documentation package for integrating Nevermined's payment infrastructure (x402 protocol) into AI agents and APIs. It contains no executable code, no install scripts, no git hooks, and triggered no suspicious behavior during installation. The only notable consideration is that its normal operation involves handling financial credentials (API keys, wallet addresses), which is inherent to its purpose as a payment SDK integration guide.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 97/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (6)

LOW Agent conversation flow directives -5

The 'Gathering Developer Information Upfront' section instructs the agent to ask a specific set of 10 questions before generating code. While this is a benign requirements-gathering pattern that improves user experience, it technically directs agent behavior beyond simple code generation.

LOW Large prompt surface area -3

The skill consists of SKILL.md plus 7 reference files totaling approximately 2500 lines of documentation. While all content is legitimate SDK documentation, the large surface area consumes significant context window space.

LOW Sensitive credential handling by design -5

The skill's normal operation involves creating .env files with API keys (NVM_API_KEY), wallet addresses (BUILDER_ADDRESS), and plan identifiers. This is standard practice for payment SDK integration but means the agent will handle financially sensitive values.

INFO Standard network activity during install -3

Network monitoring detected connections to GitHub (git clone), Ubuntu package servers, and CDN endpoints. All connections are consistent with a clean git clone installation with no unexpected outbound traffic.

INFO No executable payload 0

The skill contains zero executable code. package.json is empty, no git hooks or submodules exist, and all code blocks are documentation examples showing how to integrate the Nevermined payments SDK.

INFO Legitimate payment integration documentation -12

The skill is a comprehensive documentation package for Nevermined's payment SDK, covering Express.js, FastAPI, Strands, MCP, and Google A2A integrations. The x402 protocol it implements is a real HTTP payment protocol. All referenced packages (@nevermined-io/payments, payments-py) are published on npm/PyPI by the Nevermined organization.