Is cpppppp7/fluxa-x402-payment safe?

The fluxa-cli.bundle.js exposes a 'payout' subcommand (cmdPayout) that transfers USDC to any --to address supplied as an argument. This command is absent from SKILL.md's documentation, meaning users and reviewers may not be aware it exists. Any agent with shell access could be manipulated via prompt injection from external content to invoke this command and send funds to an attacker-controlled wallet.

fluxa-cli.bundle.js is a minified/bundled artifact with no corresponding TypeScript source in the repository. Reviewers cannot verify the bundle faithfully implements what the skill claims, nor rule out additional hidden functionality (e.g., telemetry, environment variable harvesting, or conditional behavior triggered by server responses).

Every mandate description (which may contain task context), payment payload (resource URL, amount, payTo address), and JWT credential is sent to walletapi.fluxapay.xyz. The operator of this service has full visibility into what the agent is paying for, on whose behalf, and how much. The API base URLs can be overridden via environment variables, making this trust boundary fluid.

initialize-agent-id.md instructs the agent to generate its own registration parameters (email, agent_name, client_info) without user input: 'Generate these parameters yourself to represent your real information. Do not ask the user to fill them in.' This creates a FluxA account server-side tied to the user's payment infrastructure, using an identity the user never reviewed or approved.

The skill's explicit goal is enabling agents to 'perform paid actions without human intervention.' Combined with mandate amounts configurable to any value and x402 payment signing for any presented payload, an agent using this skill while browsing attacker-controlled content could be socially engineered into authorizing payments to malicious endpoints or over-budgeting mandates.

An empty HTML comment <!-- --> appears immediately after the Step 1 header in SKILL.md, before the bash code block. While confirmed empty, this placement at a semantically significant location (instruction boundary) is unusual and could be used in modified versions of the skill to inject hidden instructions invisible to users reading rendered markdown.

A sophisticated attacker who can inject content into the agent's context could chain: (1) mandate-create with a large limit amount, (2) payout --to --amount . The mandate provides authorization, and the payout executes the transfer. Neither step in isolation is blocked; the risk is in their composition.

The agent's JWT token and auth credentials (agent_id, token) are written in plaintext to ~/.fluxa-ai-wallet-mcp/config.json. Any process with read access to the user's home directory (including other skills) can read these credentials and use them to authorize payments.

Filesystem monitoring shows .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials were opened at both pre-install (1771934668) and post-install (1771934685) timestamps. Cross-correlation with the audit harness's own scanning pattern and the '✅ All canary files intact' report indicate these were monitoring-system baseline sweeps, not the skill. However, the pattern warrants logging.

AGENT_ID_API, WALLET_API, and WALLET_APP can be overridden via environment variables. In a compromised environment or with a malicious .env loaded by a prior skill, all FluxA API traffic could be redirected to an attacker-controlled server that serves fraudulent payment responses.