bondterminal-x402
Query BondTerminal API using x402 keyless payments. No API key needed — pay $0.01 USDC per request on Base mainnet. Use when users ask for Argentine bond data, analytics, cashflows, history, riesgo país, or ISIN/ticker lookups (e.g. AL30, GD30, US040114HS26). Supports automatic 402 → payment → retry.
97
92%
Does it follow best practices?
Impact
100%
2.50xAverage score across 6 eval scenarios
Advisory
Suggest reviewing before use
Security
2 findings — 2 medium severity. This skill can be installed but you should review these findings before use.
W011: Third-party content exposure detected (indirect prompt injection risk)
What this means
The skill exposes the agent to untrusted, user-generated content from public third-party sources, creating a risk of indirect prompt injection. This includes browsing arbitrary URLs, reading social media posts or forum comments, and analyzing content from unknown websites.
Why it was flagged
Third-party content exposure detected (high risk: 1.00). The SKILL.md "Fetching Bond Data" flow shows the agent calling https://bondterminal.com/api/v1, decoding the server-sent PAYMENT-REQUIRED header (base64 JSON) and using that data to create/sign payments and retry requests, so it ingests and acts on untrusted third-party API responses that can materially change tool actions.
W009: Direct money access capability detected (payment gateways, crypto, banking)
What this means
The skill is specifically designed for direct financial operations, giving the agent the ability to move money or execute financial transactions — such as payment processing, cryptocurrency operations, banking integrations, or market order execution.
Why it was flagged
Direct money access detected (high risk: 1.00). The skill explicitly implements a pay-per-call crypto payment flow. It requires an EVM signer with USDC on Base, instructs signing an EIP-3009 transferWithAuthorization, and encodes/sends payment signatures (PAYMENT-SIGNATURE / X-PAYMENT) to settle $0.01 USDC per request. The docs mention settlement transaction hashes and Coinbase verification. This is a specific blockchain payment integration (wallet signing and token transfer), i.e., direct financial execution capability.
- Repository
- NeverSight/skills_feed
- Commit
f772de4
- Audited
- Security analysis
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.