sp3nd
SP3ND enables AI agents to autonomously purchase Amazon products using USDC on Solana, offering zero fees and fast shipping.
Install this skill
Security score
The sp3nd skill was audited on Mar 3, 2026 and we found 57 security issues across 5 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 415 | const cartRes = await fetch(`${BASE_URL}/createPartnerCart`, { |
Template literal with variable interpolation in command context
| 422 | const orderRes = await fetch(`${BASE_URL}/createPartnerOrder`, { |
Template literal with variable interpolation in command context
| 433 | const firstRes = await fetch(`${BASE_URL}/payAgentOrder`, { |
Template literal with variable interpolation in command context
| 457 | createMemoInstruction(`SP3ND Order: ${req.extra.order_number}`), // REQUIRED for payment matching |
Template literal with variable interpolation in command context
| 482 | const verifyRes = await fetch(`${FACILITATOR}/verify`, { |
Template literal with variable interpolation in command context
| 487 | if (!verified.isValid) throw new Error(`Verify failed: ${verified.invalidReason}`); |
Template literal with variable interpolation in command context
| 490 | const settleRes = await fetch(`${FACILITATOR}/settle`, { |
Template literal with variable interpolation in command context
| 495 | if (!settled.success) throw new Error(`Settle failed: ${settled.errorReason}`); |
Template literal with variable interpolation in command context
| 505 | const statusRes = await fetch(`${BASE_URL}/getPartnerOrders`, { headers }); |
Webhook reference - potential data exfiltration
| 216 | > **Memo Requirement:** The USDC transfer transaction **must** include a Solana Memo program instruction with the value `SP3ND Order: <order_number>` (e.g. `SP3ND Order: ORD-1234567890`). SP3ND's Heli |
Webhook reference - potential data exfiltration
| 231 | After the facilitator settles the transaction on-chain, SP3ND's Helius webhook detects the USDC transfer + memo and marks the order as paid. Your agent confirms by polling: |
Webhook reference - potential data exfiltration
| 252 | > **Why polling instead of a second `payAgentOrder` call?** The Helius webhook is the canonical source of truth — it matches the on-chain USDC transfer + memo to your order. Polling `getPartnerOrders` |
Webhook reference - potential data exfiltration
| 497 | // 9. Poll for payment confirmation (Helius webhook marks order paid within ~60s) |
Access to .env file
| 402 | const API_KEY = process.env.SP3ND_API_KEY; |
Access to .env file
| 403 | const API_SECRET = process.env.SP3ND_API_SECRET; |
Access to .env file
| 407 | Uint8Array.from(JSON.parse(process.env.SOLANA_PRIVATE_KEY)) |
Access to .env file
| 410 | const connection = new Connection(process.env.SOLANA_RPC_URL || 'https://api.mainnet-beta.solana.com'); |
Base64 decode operation
| 188 | The payment requirements are returned in the `PAYMENT-REQUIRED` HTTP header as a base64-encoded JSON object (not in the response body). Decode it to get: |
Base64 decode operation
| 220 | 1. Read the `PAYMENT-REQUIRED` header from the 402 response and base64-decode it |
Buffer.from base64 decode
| 442 | const paymentRequired = JSON.parse(Buffer.from(paymentRequiredHeader, 'base64').toString('utf8')); |
External URL reference
| 11 | SP3ND (https://sp3nd.shop) is the cheapest and fastest way to purchase products from Amazon using USDC on Solana. It is a decentralized e-commerce bridge that lets AI agents autonomously convert USDC |
External URL reference
| 32 | https://us-central1-sp3nddotshop-prod.cloudfunctions.net |
External URL reference
| 96 | "product_url": "https://amazon.com/dp/B08XYZ123", |
External URL reference
| 110 | "product_url": "https://amazon.de/dp/B08XYZ123", |
External URL reference
| 195 | "resource": "https://us-central1-sp3nddotshop-prod.cloudfunctions.net/payAgentOrder", |
External URL reference
| 293 | | US United States | `amazon.com` | `https://amazon.com/dp/B08XYZ123` | |
External URL reference
| 294 | | GB United Kingdom | `amazon.co.uk` | `https://amazon.co.uk/dp/B08XYZ123` | |
External URL reference
| 295 | | CA Canada | `amazon.ca` | `https://amazon.ca/dp/B08XYZ123` | |
External URL reference
| 296 | | DE Germany | `amazon.de` | `https://amazon.de/dp/B08XYZ123` | |
External URL reference
| 297 | | FR France | `amazon.fr` | `https://amazon.fr/dp/B08XYZ123` | |
External URL reference
| 298 | | ES Spain | `amazon.es` | `https://amazon.es/dp/B08XYZ123` | |
External URL reference
| 299 | | IT Italy | `amazon.it` | `https://amazon.it/dp/B08XYZ123` | |
External URL reference
| 300 | | NL Netherlands | `amazon.nl` | `https://amazon.nl/dp/B08XYZ123` | |
External URL reference
| 301 | | BE Belgium | `amazon.com.be` | `https://amazon.com.be/dp/B08XYZ123` | |
External URL reference
| 302 | | PL Poland | `amazon.pl` | `https://amazon.pl/dp/B08XYZ123` | |
External URL reference
| 303 | | SE Sweden | `amazon.se` | `https://amazon.se/dp/B08XYZ123` | |
External URL reference
| 304 | | BR Brazil | `amazon.com.br` | `https://amazon.com.br/dp/B08XYZ123` | |
External URL reference
| 305 | | MX Mexico | `amazon.com.mx` | `https://amazon.com.mx/dp/B08XYZ123` | |
External URL reference
| 306 | | AU Australia | `amazon.com.au` | `https://amazon.com.au/dp/B08XYZ123` | |
External URL reference
| 307 | | IN India | `amazon.in` | `https://amazon.in/dp/B08XYZ123` | |
External URL reference
| 308 | | JP Japan | `amazon.co.jp` | `https://amazon.co.jp/dp/B08XYZ123` | |
External URL reference
| 309 | | SG Singapore | `amazon.sg` | `https://amazon.sg/dp/B08XYZ123` | |
External URL reference
| 310 | | AE UAE | `amazon.ae` | `https://amazon.ae/dp/B08XYZ123` | |
External URL reference
| 311 | | SA Saudi Arabia | `amazon.sa` | `https://amazon.sa/dp/B08XYZ123` | |
External URL reference
| 312 | | EG Egypt | `amazon.eg` | `https://amazon.eg/dp/B08XYZ123` | |
External URL reference
| 313 | | TR Turkey | `amazon.com.tr` | `https://amazon.com.tr/dp/B08XYZ123` | |
External URL reference
| 314 | | ZA South Africa | `amazon.co.za` | `https://amazon.co.za/dp/B08XYZ123` | |
External URL reference
| 372 | - Use the format: `https://{tld}/dp/{ASIN}` |
External URL reference
| 373 | - Example for France: `https://amazon.fr/dp/B08N5WRWNW` |
External URL reference
| 374 | - Example for Japan: `https://amazon.co.jp/dp/B08N5WRWNW` |
External URL reference
| 397 | const BASE_URL = 'https://us-central1-sp3nddotshop-prod.cloudfunctions.net'; |
External URL reference
| 398 | const FACILITATOR = 'https://facilitator.payai.network'; |
External URL reference
| 410 | const connection = new Connection(process.env.SOLANA_RPC_URL || 'https://api.mainnet-beta.solana.com'); |
External URL reference
| 535 | - **x402 facilitator:** `https://facilitator.payai.network` |
External URL reference
| 537 | - **Full API docs:** https://sp3nd.shop/partner-api/docs |
External URL reference
| 538 | - **Dashboard:** https://sp3nd.shop/partner-api/dashboard |
External URL reference
| 550 | See the Partner API docs for details: https://sp3nd.shop/partner-api/docs |
Install this skill with one command
/learn @openclaw/sp3nd