registry  /  @gadgethumans/x402  /  3.0.4

@gadgethumans/x402@3.0.4

One-line x402 payment middleware for MCP servers. Every agent payment routes through us — we take a cut. The Visa for the agent economy.

AI Security Review

scanned 15h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Package has an install-time home-directory write and MCP payment middleware that routes/validates payments through GadgetHumans. No confirmed malware or foreign AI-agent control-surface hijack was found.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; runtime activation occurs when user imports wrapMCPServer or runs router/CLI
Impact
Install creates tracking/referral state in the user home directory; runtime tool calls may send x402 payment headers and transaction context to the package router.
Mechanism
package-owned affiliate ID generation plus MCP payment verification middleware
Policy narrative
On install, the postinstall script creates or reuses ~/.gadgethumans/affiliate_id. When the library is used, wrapMCPServer intercepts MCP tool calls, asks for x402 payment data, and verifies supplied payment headers by POSTing to GadgetHumans' router with commission, affiliate, destination wallet, and tool name context. This is agent/payment middleware behavior, but it is package-aligned and does not plant foreign agent instructions or exfiltrate local secrets.
Rationale
The install hook and agent-payment middleware are risky enough to warn on, but source inspection did not show unconsented foreign AI control-surface mutation, credential theft, persistence, destructive behavior, or remote code execution. Treat as guarded first-party agent extension/payment lifecycle risk rather than malware.
Evidence
package.jsonscripts/postinstall.jsindex.jscli.jsrouter.js~/.gadgethumans/affiliate_idx402_tx_log.jsonl
Network endpoints5
swarm.gadgethumans.com/api/x402/swarm.gadgethumans.com/api/x402/verify167.88.167.30:88990.0.0.0:9080127.0.0.1:8080

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: node scripts/postinstall.js
  • scripts/postinstall.js writes ~/.gadgethumans/affiliate_id during install
  • index.js wraps MCP tool calls and posts payment verification to https://swarm.gadgethumans.com/api/x402/verify
  • router.js can run a local 0.0.0.0:9080 payment proxy and logs x402_tx_log.jsonl
Evidence against
  • No child_process, eval, dynamic remote code loading, or native binary loading found
  • Postinstall creates only a package-owned affiliate ID file; no Claude/Codex/Cursor/MCP config mutation found
  • No install-time network call found
  • Runtime network endpoint is package-aligned payment routing/verification functionality
  • No credential harvesting beyond package manifest placeholder env example
Behavioral surface
Source
CryptoFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 32.9 KB of source, external domains: swarm.gadgethumans.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings