Is akshatgada/llm-wallet safe?

The skill installs llm-wallet-mcp from npm (published by the x402 organization) as a global Node.js package. This package was not part of the audited skill files. npm packages can include preinstall/postinstall lifecycle scripts that execute arbitrary code at install time, and the installed binary gains full OS-level access at runtime. The skill directory itself contains only markdown and is clean, but all execution risk is deferred to this npm package.

The skill enables an agent to spend real USDC on Polygon mainnet. The only protection is a text instruction to 'always ask user for approval.' This is a social-engineering-bypassable soft gate. An attacker who can influence the conversation could craft prompts that make the approval seem routine or pre-granted. The skill explicitly documents how to switch from testnet to mainnet.

The llm-wallet import --private-key command is a documented feature. If a user is tricked into sharing their private key with the agent for any reason, or if another skill causes the agent to read a file containing a private key, this command would capture the key into the wallet manager controlled by the MCP server process.

The FACILITATOR_URL environment variable is documented as user-configurable. A compromised environment or a skill interaction that sets this variable could silently redirect all payment authorizations to an attacker-controlled facilitator. The agent would believe it is paying a legitimate endpoint while the facilitator settles funds to the attacker.

The dynamic API registration system allows registering arbitrary URLs as named tools, then calling them with llm-wallet call-api. This pattern enables an attacker to prime the agent to register a malicious payment endpoint as a trusted tool name, then trigger batch payments through that tool in future conversations without the URL being visible to the user.

When activated, llm-wallet-mcp runs as a persistent MCP server with full user-level filesystem and network access. This process persists across conversations, expanding the attack surface beyond the skill's runtime. Any vulnerability in the npm package's server code is persistently exploitable.

Wallets are stored encrypted in ~/.llm-wallet/. While AES-256-GCM encryption is strong, the storage path is predictable. Combined with a file-reading skill, an attacker could exfiltrate the encrypted wallet database and attempt offline decryption if the WALLET_ENCRYPTION_KEY was weak or is known.

Two new TCP listeners appeared on localhost after skill installation (127.0.0.1:18790, 127.0.0.1:18793). These are attributed to the openclaw-gateway process and are consistent with MCP tool registration. They represent an expanded local attack surface but are expected behavior for an MCP-based skill.

All canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were accessed at timestamp 1771925382.888 in a batch pattern. Timing and access pattern are consistent with the audit framework's own post-scan integrity check rather than skill-induced access. No canary content appeared in outbound network traffic.