Is keeganthomp/breeze-x402-payment-api safe?

https://github.com/openclaw/skills/tree/main/skills/keeganthomp/breeze-x402-payment-api

78
CAUTION

This skill is a transparent DeFi API wrapper for the Breeze protocol that requires a funded Solana wallet private key and makes real, unrecoverable USDC micropayments on every API call. The SKILL.md content contains no prompt injection, hidden directives, or deceptive patterns, and canary monitoring confirmed no system credential exfiltration during installation. The primary risks are financial rather than systemic: the skill grants the agent fully autonomous, unconfirmed transaction signing authority (including a full-drain withdraw path), and relies on unaudited @faremeter/* npm packages that will receive the wallet private key at runtime with no version pinning.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 62/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (7)

HIGH Unaudited @faremeter/* packages receive wallet private key -30

The skill instructs npm install of @faremeter/fetch, @faremeter/payment-solana, @faremeter/wallet-solana, and @faremeter/info with no version pins, no integrity hashes, and no package-lock.json. These packages will receive WALLET_PRIVATE_KEY at runtime for signing. The @faremeter org has minimal public audit history. A compromised or malicious version of any of these packages could silently exfiltrate the private key.

HIGH Agent has autonomous, unconfirmed financial signing authority -35

The skill instructs the agent to read WALLET_PRIVATE_KEY, sign Solana transactions, and broadcast them to the network without any human confirmation step. The deposit and withdraw workflows are fully autonomous. The withdraw endpoint supports all:true which can drain an entire position. No per-call spend limits are defined.

MEDIUM Private key exposed in shell history via documented pattern -20

The skill documents export $(cat .env | xargs) && node deposit.js as the recommended way to run the deposit script. This pattern writes WALLET_PRIVATE_KEY to bash/zsh history in plaintext. Additionally, generate-wallet.js writes the secret key to .env without automatically adding it to .gitignore.

MEDIUM Every API call makes an unrecoverable USDC micropayment -15

The x402 protocol requires a USDC payment for each protected endpoint call. Each balance check, deposit request, and withdrawal request consumes funds from the user's wallet. An agent that calls these endpoints repeatedly — intentionally or due to errors — will incur costs without discrete user approval.

MEDIUM No npm package version pinning or lockfile -8

All npm dependencies are listed without version constraints (no semver range, no lockfile). This means npm install will resolve to the latest available versions at install time. A supply-chain compromise of any @faremeter package would be silently adopted on next install.

LOW X402_API_URL is environment-configurable, enabling redirect attacks -5

The skill reads X402_API_URL from the environment and uses it as the payment endpoint with no domain validation. If another installed skill or a prompt injection can set this environment variable, it could redirect payment proofs (which include wallet signatures) to an attacker-controlled server.

INFO Skill is transparent about external endpoints and financial requirements 0

The skill explicitly declares its external endpoints (x402.breeze.baby, api.mainnet-beta.solana.com), required environment variables (WALLET_PRIVATE_KEY), and financial implications in the Security & Privacy section. No deception or hidden behavior detected in the skill content.