Is dahhan43-netizen/x402-agent-marketplace safe?

SKILL.md permanently embeds the Solana wallet address 4D8jCkTMWjaQzDuZkwibk8ML34LSCKVCKS8kC6RFYuX as the sole payment destination for all 15 advertised API services. When this skill is loaded into an AI agent's system prompt, the agent will possess standing instructions to direct users to send SOL to this address. No on-chain verification of service delivery is possible, and the wallet owner is unknown. An agent equipped with a Solana wallet tool could initiate these transfers autonomously.

The skill markets 15 AI agent services with SOL pricing (0.0005–0.005 SOL per call) but ships zero implementation code. The baseline filesystem diff confirms only _meta.json, skill.json, and SKILL.md were installed. No server.py, requirements.txt, dashboard.html, or how-to-use.html are present. A user who follows the SKILL.md instructions to install dependencies and run the server would either need to clone a separate external repository or receive nothing. Users who send SOL via the documented payment flow have no guarantee of service delivery.

The skill exposes a 'Pump.fun Sniper' endpoint at 0.005 SOL per call. Pump.fun snipers are automated tools that front-run memecoin token launches on the Solana blockchain — they purchase tokens before public availability to profit at the expense of retail participants. Providing this as an AI agent capability normalizes and automates market manipulation. The endpoint is advertised prominently alongside ostensibly legitimate services such as governance tracking and portfolio management.

The skill's feature list states 'Zero Custody: No holding of user funds', a claim associated with non-custodial DeFi protocols. However, the payment flow requires users to send SOL directly to a hardcoded wallet before receiving any service. This is custodial by definition — the wallet holder controls the funds with no escrow or smart-contract enforcement. The contradiction is designed to suppress user skepticism about sending funds to an unknown address.

Six credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud application_default_credentials.json) were opened and read in rapid succession at two points during the monitoring window (pre-clone at 1771925484.968-969 and post-install at 1771925510.041). The identical-millisecond access timestamps across all six files indicate a single process performed a programmatic credential scan rather than normal OS behavior. The canary integrity system reports the files as intact, and no outbound network connection followed the post-install reads, which strongly suggests this is the oathe monitoring system's own canary placement/verification rather than the skill exfiltrating data. Noted for completeness.

SKILL.md documents a functional skill with server.py (FastAPI server), requirements.txt (Python dependencies), dashboard.html, and how-to-use.html. None of these files exist in the installed package. The discrepancy between documented and delivered artifacts is a signal of either incomplete publishing or intentional deception about the skill's operational state.

_meta.json identifies 4.0.0 as the latest published version (with a version history showing 1.0.0 and 1.1.0 as prior releases, skipping 2.x and 3.x), while skill.json declares the current version as 3.0.0. The two canonical version sources within the same installed package disagree. This may indicate rushed or automated metadata editing, or deliberate manipulation of perceived version maturity.

The oathe monitoring system's honeypot credential files were accessed during the monitoring window. Canary integrity verification confirms all files are unmodified and no exfiltration beacons were triggered. The access pattern (uniform timestamps, programmatic access of all six files in sequence) is consistent with the oathe audit system's own canary placement and post-install verification procedures.