sp3nd
SP3ND enables AI agents to autonomously purchase products from Amazon using USDC on Solana, ensuring fast, fee-free transactions.
Install this skill
Security score
The sp3nd skill was audited on May 15, 2026 and we found 57 security issues across 5 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 415 | const cartRes = await fetch(`${BASE_URL}/createPartnerCart`, { |
Template literal with variable interpolation in command context
| 422 | const orderRes = await fetch(`${BASE_URL}/createPartnerOrder`, { |
Template literal with variable interpolation in command context
| 433 | const firstRes = await fetch(`${BASE_URL}/payAgentOrder`, { |
Template literal with variable interpolation in command context
| 457 | createMemoInstruction(`SP3ND Order: ${req.extra.order_number}`), // REQUIRED for payment matching |
Template literal with variable interpolation in command context
| 482 | const verifyRes = await fetch(`${FACILITATOR}/verify`, { |
Template literal with variable interpolation in command context
| 487 | if (!verified.isValid) throw new Error(`Verify failed: ${verified.invalidReason}`); |
Template literal with variable interpolation in command context
| 490 | const settleRes = await fetch(`${FACILITATOR}/settle`, { |
Template literal with variable interpolation in command context
| 495 | if (!settled.success) throw new Error(`Settle failed: ${settled.errorReason}`); |
Template literal with variable interpolation in command context
| 505 | const statusRes = await fetch(`${BASE_URL}/getPartnerOrders`, { headers }); |
Webhook reference - potential data exfiltration
| 216 | > **Memo Requirement:** The USDC transfer transaction **must** include a Solana Memo program instruction with the value `SP3ND Order: <order_number>` (e.g. `SP3ND Order: ORD-1234567890`). SP3ND's Heli |
Webhook reference - potential data exfiltration
| 231 | After the facilitator settles the transaction on-chain, SP3ND's Helius webhook detects the USDC transfer + memo and marks the order as paid. Your agent confirms by polling: |
Webhook reference - potential data exfiltration
| 252 | > **Why polling instead of a second `payAgentOrder` call?** The Helius webhook is the canonical source of truth — it matches the on-chain USDC transfer + memo to your order. Polling `getPartnerOrders` |
Webhook reference - potential data exfiltration
| 497 | // 9. Poll for payment confirmation (Helius webhook marks order paid within ~60s) |
Access to .env file
| 402 | const API_KEY = process.env.SP3ND_API_KEY; |
Access to .env file
| 403 | const API_SECRET = process.env.SP3ND_API_SECRET; |
Access to .env file
| 407 | Uint8Array.from(JSON.parse(process.env.SOLANA_PRIVATE_KEY)) |
Access to .env file
| 410 | const connection = new Connection(process.env.SOLANA_RPC_URL || 'https://api.mainnet-beta.solana.com'); |
Base64 decode operation
| 188 | The payment requirements are returned in the `PAYMENT-REQUIRED` HTTP header as a base64-encoded JSON object (not in the response body). Decode it to get: |
Base64 decode operation
| 220 | 1. Read the `PAYMENT-REQUIRED` header from the 402 response and base64-decode it |
Buffer.from base64 decode
| 442 | const paymentRequired = JSON.parse(Buffer.from(paymentRequiredHeader, 'base64').toString('utf8')); |
External URL reference
| 11 | SP3ND (https://sp3nd.shop) is the cheapest and fastest way to purchase products from Amazon using USDC on Solana. It is a decentralized e-commerce bridge that lets AI agents autonomously convert USDC |
External URL reference
| 32 | https://us-central1-sp3nddotshop-prod.cloudfunctions.net |
External URL reference
| 96 | "product_url": "https://amazon.com/dp/B08XYZ123", |
External URL reference
| 110 | "product_url": "https://amazon.de/dp/B08XYZ123", |
External URL reference
| 195 | "resource": "https://us-central1-sp3nddotshop-prod.cloudfunctions.net/payAgentOrder", |
External URL reference
| 293 | | US United States | `amazon.com` | `https://amazon.com/dp/B08XYZ123` | |
External URL reference
| 294 | | GB United Kingdom | `amazon.co.uk` | `https://amazon.co.uk/dp/B08XYZ123` | |
External URL reference
| 295 | | CA Canada | `amazon.ca` | `https://amazon.ca/dp/B08XYZ123` | |
External URL reference
| 296 | | DE Germany | `amazon.de` | `https://amazon.de/dp/B08XYZ123` | |
External URL reference
| 297 | | FR France | `amazon.fr` | `https://amazon.fr/dp/B08XYZ123` | |
External URL reference
| 298 | | ES Spain | `amazon.es` | `https://amazon.es/dp/B08XYZ123` | |
External URL reference
| 299 | | IT Italy | `amazon.it` | `https://amazon.it/dp/B08XYZ123` | |
External URL reference
| 300 | | NL Netherlands | `amazon.nl` | `https://amazon.nl/dp/B08XYZ123` | |
External URL reference
| 301 | | BE Belgium | `amazon.com.be` | `https://amazon.com.be/dp/B08XYZ123` | |
External URL reference
| 302 | | PL Poland | `amazon.pl` | `https://amazon.pl/dp/B08XYZ123` | |
External URL reference
| 303 | | SE Sweden | `amazon.se` | `https://amazon.se/dp/B08XYZ123` | |
External URL reference
| 304 | | BR Brazil | `amazon.com.br` | `https://amazon.com.br/dp/B08XYZ123` | |
External URL reference
| 305 | | MX Mexico | `amazon.com.mx` | `https://amazon.com.mx/dp/B08XYZ123` | |
External URL reference
| 306 | | AU Australia | `amazon.com.au` | `https://amazon.com.au/dp/B08XYZ123` | |
External URL reference
| 307 | | IN India | `amazon.in` | `https://amazon.in/dp/B08XYZ123` | |
External URL reference
| 308 | | JP Japan | `amazon.co.jp` | `https://amazon.co.jp/dp/B08XYZ123` | |
External URL reference
| 309 | | SG Singapore | `amazon.sg` | `https://amazon.sg/dp/B08XYZ123` | |
External URL reference
| 310 | | AE UAE | `amazon.ae` | `https://amazon.ae/dp/B08XYZ123` | |
External URL reference
| 311 | | SA Saudi Arabia | `amazon.sa` | `https://amazon.sa/dp/B08XYZ123` | |
External URL reference
| 312 | | EG Egypt | `amazon.eg` | `https://amazon.eg/dp/B08XYZ123` | |
External URL reference
| 313 | | TR Turkey | `amazon.com.tr` | `https://amazon.com.tr/dp/B08XYZ123` | |
External URL reference
| 314 | | ZA South Africa | `amazon.co.za` | `https://amazon.co.za/dp/B08XYZ123` | |
External URL reference
| 372 | - Use the format: `https://{tld}/dp/{ASIN}` |
External URL reference
| 373 | - Example for France: `https://amazon.fr/dp/B08N5WRWNW` |
External URL reference
| 374 | - Example for Japan: `https://amazon.co.jp/dp/B08N5WRWNW` |
External URL reference
| 397 | const BASE_URL = 'https://us-central1-sp3nddotshop-prod.cloudfunctions.net'; |
External URL reference
| 398 | const FACILITATOR = 'https://facilitator.payai.network'; |
External URL reference
| 410 | const connection = new Connection(process.env.SOLANA_RPC_URL || 'https://api.mainnet-beta.solana.com'); |
External URL reference
| 535 | - **x402 facilitator:** `https://facilitator.payai.network` |
External URL reference
| 537 | - **Full API docs:** https://sp3nd.shop/partner-api/docs |
External URL reference
| 538 | - **Dashboard:** https://sp3nd.shop/partner-api/dashboard |
External URL reference
| 550 | See the Partner API docs for details: https://sp3nd.shop/partner-api/docs |