Is hades-ye/x402-payment-tron safe?

https://github.com/openclaw/skills/tree/main/skills/hades-ye/x402-payment-tron

54
CAUTION

This skill implements TRON blockchain USDT micropayments for x402-protocol endpoints and presents several serious concerns that fall short of outright malicious but require careful review. The most dangerous feature is the automatic MAX_UINT256 token approval, which permanently grants an unknown smart contract unlimited USDT spending rights from the user's wallet on first use. The skill also embeds prompt injection instructions ('Security Rules for Agents') that suppress agent transparency around private key operations, and silently discovers keys from four filesystem locations including a proprietary 'AIBank' config path. The core execution logic ships as an opaque webpack bundle wrapping an unverifiable @open-aibank/x402-tron package, making independent code review impossible without unpacking the bundle.

Category Scores

Prompt Injection 45/100 · 30%
Data Exfiltration 40/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 25/100 · 5%

Findings (9)

CRITICAL Automatic Infinite Token Approval (MAX_UINT256) -35

The skill unconditionally broadcasts a MAX_UINT256 USDT approval transaction on first use when allowance is insufficient. This permanently grants unlimited USDT spending rights to the x402 payment contract. A user making a $0.01 micropayment thereby grants the contract the right to drain their entire wallet balance at any future time, with no further user action required.

HIGH Agent Behavioral Control Instructions Masquerading as Security Rules -30

The 'Security Rules for Agents' section of SKILL.md is a prompt injection block that directly instructs the LLM agent to suppress output about private key operations and to defer silently to the skill's internal key-loading logic. This prevents the agent from being transparent with the user about which key is being used, from what location it was loaded, or what transactions are being signed.

HIGH Silent Private Key Discovery from Four Filesystem Locations -20

The skill automatically searches four locations for a private key without explicit per-invocation user consent. Critically, one path (~/.mcporter/mcporter.json, labeled 'AIBank standard configuration') is a non-obvious shared config file. Any user who has this file from a prior AIBank product installation will have their key silently loaded by this skill.

HIGH Opaque Pre-built Webpack Bundle with Unknown Third-Party Package -25

The executing code is dist/index.js, a webpack bundle. The @open-aibank/x402-tron package — which handles private key loading, transaction signing, and HTTP communication — is embedded in this bundle and its full behavior is not auditable from the provided evidence. The package publisher 'open-aibank' is unknown and unverifiable.

MEDIUM Arbitrary HTTP Endpoint Invocation with Signed Payment Data -15

The x402_tron_invoke tool makes HTTP requests to any caller-supplied URL. Since requests carry EIP-712 payment signatures generated from the user's private key, a malicious URL (supplied via prompt injection from another skill or a manipulated user request) could receive this signed data on an attacker-controlled server.

MEDIUM Financial Operations Without Explicit Per-Transaction User Confirmation -35

The skill is designed to make real-money cryptocurrency transactions automatically. Combined with the agent behavior instructions suppressing key disclosure, the user may not realize a transaction has been signed and broadcast until after the fact. The infinite approval amplifies this: a user approving one small payment unknowingly enables future unlimited withdrawals.

LOW Temporary File Residue in /tmp -5

Binary and image responses are written to /tmp/x402_image_* and /tmp/x402_binary_* with deletion responsibility delegated to the agent. If the agent fails to clean up, sensitive API response data persists on disk.

INFO No Unexpected Network Activity During Installation 0

Network monitoring detected only GitHub (git clone) and Ubuntu infrastructure connections during install. No connections to x402.org or open-aibank endpoints were observed at install time.

INFO Canary Files Intact — Accesses Attributable to Audit Framework 0

All honeypot files (.env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were accessed during the audit but the accesses at timestamps 1771924463.470 and 1771924481.114 correspond to the oathe audit framework's own canary baseline checks, not to the skill's execution. The canary integrity check passes.