Is keeganthomp/breeze safe?

The skill instructs the agent to sign and immediately broadcast Solana blockchain transactions constructed entirely by an externally controlled API server. There is no step where the agent or user verifies the transaction's recipient addresses, token amounts, or any additional instructions the server may have embedded. A compromised or malicious x402.breeze.baby server could return deposit or withdraw transactions that include unauthorized fund transfers to attacker-controlled wallets, and the agent would sign and broadcast them without detecting the manipulation.

Every API interaction sends the user's Solana wallet public key to x402.breeze.baby (e.g., in the balance URL path) and also transmits x402 payment proofs — which are signed Solana micropayment transactions — to the same externally controlled server on every request. The server accumulates a complete picture of the user's wallet address, DeFi positions, yields, and payment activity. There is no privacy disclosure or data-handling guarantee in the skill.

The deposit and withdraw endpoints return opaque base64-encoded unsigned transaction blobs. The skill provides no mechanism for the agent to inspect what the transaction actually does before signing — no check on recipient program IDs, no validation of transfer amounts against what was requested, no detection of additional instructions. This is a classic transaction substitution attack surface: the API can return a transaction that does far more (or far different things) than the user requested.

The x402 payment wrapper automatically handles HTTP 402 challenges by signing and submitting USDC micropayments before each API response is served. The external server sets the per-call price. In an agentic loop where the agent repeatedly queries balances or builds transactions, costs accumulate without user visibility. There is no cap, budget check, or confirmation prompt built into the skill.

The withdraw endpoint accepts an 'all: true' flag that withdraws the user's entire position in one operation. In an agentic context where the agent interprets natural-language instructions, a user saying 'withdraw everything' or a manipulated prompt saying 'close my position' could trigger a complete drain of all funds with no confirmation step.

The skill requires WALLET_PRIVATE_KEY — a Base58-encoded Solana private key — to be available as an environment variable the agent can read and use. Private keys in or adjacent to LLM context create risk: they may appear in agent logs, be included in error messages, be repeated in agent responses, or be exposed if the agent's context window is captured by a logging system or prompt injection attack elsewhere in the session.

The skill's code examples depend on @faremeter/fetch, @faremeter/payment-solana, and @faremeter/wallet-solana — custom packages from an unverified publisher that directly handle the user's Solana keypair for signing transactions and payment proofs. These packages are not widely known, have no mention of security audits in the skill documentation, and have full access to the private key during operation. A malicious or compromised version of any of these packages would have direct access to signing authority over the user's funds.

The skill hardcodes multiple external URLs as targets for the agent to fetch: https://x402.breeze.baby (API), https://breeze.baby (product site), https://www.x402.org (protocol site), and https://solscan.io for transaction reporting. These URLs are controlled by third parties and could be redirected or serve different content in the future, potentially altering agent behavior.