x402-attack-surface-gate
by Tate Lyman
Automated launch-readiness auditor for x402 and agent-payment API surfaces.
- Map paid API routes and price points from public manifests and docs.
- Identify payment bypass risks where work executes before a 402 challenge.
- Verify idempotency and replay protection to prevent double-charging.
$19
· or 95 creditsSecure checkout via Stripe
Included in download
- Map paid API routes and price points from public manifests and docs.
- Identify payment bypass risks where work executes before a 402 challenge.
- terminal, network automation included
- Ready for Claude Code
Sample input
Run a launch-readiness audit on my new x402-enabled generation API at https://api.example.com/v1/generate using the public manifest.
Sample output
Verdict: hold_for_patch Spend Map: POST /v1/generate | 0.05 USDC | Resource Binding: FAILED Findings: [High] Paid-but-denied risk: Route returns 200 OK before 402 challenge on large payloads. Patch: Move payment validation middleware before the body parser to prevent unpaid resource exhaustion.
x402-attack-surface-gate
by Tate Lyman
Automated launch-readiness auditor for x402 and agent-payment API surfaces.
$19
· or 95 creditsSecure checkout via Stripe
Included in download
- Map paid API routes and price points from public manifests and docs.
- Identify payment bypass risks where work executes before a 402 challenge.
- terminal, network automation included
- Ready for Claude Code
- Instant install
Sample input
Run a launch-readiness audit on my new x402-enabled generation API at https://api.example.com/v1/generate using the public manifest.
Sample output
Verdict: hold_for_patch Spend Map: POST /v1/generate | 0.05 USDC | Resource Binding: FAILED Findings: [High] Paid-but-denied risk: Route returns 200 OK before 402 challenge on large payloads. Patch: Move payment validation middleware before the body parser to prevent unpaid resource exhaustion.
About This Skill
What it does
The x402 Attack Surface Gate is a security and reliability auditor for AI agent payment layers. It performs automated, no-payment probes of x402, MPP, and Pay.sh implementations to identify launch-blocking risks like payment bypass, replay vulnerabilities, and browser-related CORS or cache leaks.
Why use this skill
Testing paid API surfaces is notoriously difficult because you often have to spend real funds or mock complex wallet signatures. This skill solves that by using standardized, non-destructive probing techniques. It ensures your 402 payment challenges are correctly bound to resources, idempotent, and compatible with agent-centric browser environments before you go live.
Supported tools
- x402 protocol manifests
- OpenAPI / Swagger specifications
- MPP and Pay.sh agent payment standards
- Agent wallet registries and marketplace listings
The output provides a structured "Spend Map" and a prioritized "Patch Order," giving developers a clear checklist to move from 'hold_for_patch' to 'launch_ready'.
Use Cases
- Map paid API routes and price points from public manifests and docs.
- Identify payment bypass risks where work executes before a 402 challenge.
- Verify idempotency and replay protection to prevent double-charging.
- Audit CORS and cache headers for agent-client compatibility.
- Generate a prioritized patch order for payment-layer vulnerabilities.
Known Limitations
- No testing of real financial settlement or wallet signatures.
- Limited to public-facing manifests and OpenAPI surfaces.
- Cannot verify backend-only authorization logic.
How to Install
mkdir -p ~/.claude/skills && curl -sL https://www.agensi.io/api/install/x402-attack-surface-gate -o /tmp/x402-attack-surface-gate.zip && unzip -o /tmp/x402-attack-surface-gate.zip -d ~/.claude/skills && rm /tmp/x402-attack-surface-gate.zipFree skills install directly. Paid skills require purchase - use the download button above after buying.
Reviews
No reviews yet - be the first to share your experience.
Only users who have downloaded or purchased this skill can leave a review.
Early access skill
Be the first to review this skill.
Only users who have downloaded or purchased this skill can leave a review.
Security Scanned
Passed automated security review
Permissions
Allowed Hosts
File Scopes
Claude Code, Cursor, MCP-capable agents
Creator
Frequently Asked Questions
Learn More About AI Agent Skills
More Premium Skills
Bounty Security Pattern Master Library — 399 Vulnerability Patterns
A premium library of 399 vulnerability patterns and DeFi attack vectors for AI-driven bug hunting and security audits.
api-contract-tester
Turn OpenAPI specs into exhaustive, framework-ready test suites covering happy paths, edge cases, and security gaps.
PII & Data-Leak Scanner
Scan your schemas, seed data, config, and logs for personal data before it leaks. Detects PII-indicating column and key names (email, ssn, phone, address) across SQL, CSV, and JSON, plus PII in the data itself: email addresses, SSN-like numbers, credit-card-like numbers, phone numbers, and PII written into log files. Each finding is flagged with its location and a GDPR-style review note. Heuristic by design: it surfaces what to review, not a compliance guarantee.
designing-hybrid-context-layers
Architects the right retrieval strategy for every query — teaching your agent when to use RAG, a knowledge graph, or a temporal index instead of defaulting to vector search for everything.