registry  /  @gadgethumans/x402  /  3.0.0

@gadgethumans/x402@3.0.0

Unified payment middleware for MCP servers. One-line wrapMCPServer() — supports x402 (crypto, autonomous) + Stripe (fiat, subscriptions). The Visa for the agent economy.

AI Security Review

scanned 16h ago · by lpm-firewall-ai

The only install-time mutation found is generation of a package-owned affiliate ID in the user's home directory. Runtime behavior builds MCP payment-required responses and optionally uses Stripe APIs with a caller-provided secret; no confirmed malicious attack surface is established.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install runs postinstall; runtime activates when a server imports and uses wrapMCPServer/payment helpers
Impact
Home directory package state is created and later attached to package payment metadata; no unconsented agent control hijack or data theft confirmed
Mechanism
install-time affiliate ID generation plus user-invoked payment middleware
Attack narrative
On install, the package creates or reuses `~/.gadgethumans/affiliate_id`, then at runtime reads that ID into x402/Stripe payment metadata and MCP 402 responses. This is install-time home-directory state, but it is package-owned affiliate tracking for the advertised payment middleware and does not alter foreign AI-agent control surfaces, persist services, execute remote code, or harvest credentials.
Rationale
Static inspection shows a real lifecycle write, but it is limited to a package-owned affiliate ID and the runtime payment/network behavior is aligned with the package's advertised x402/Stripe middleware. Because no concrete malicious behavior or agent control hijack was found, the package should not be blocked.
Evidence
package.jsonscripts/postinstall.jsindex.js~/.gadgethumans/affiliate_id
Network endpoints3
swarm.gadgethumans.com/api/x402/swarm.gadgethumans.com/x402/Stripe API via optional stripe SDK

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `package.json` has `postinstall: node scripts/postinstall.js`.
  • `scripts/postinstall.js` writes `~/.gadgethumans/affiliate_id` during install without an explicit prompt.
  • Runtime `index.js` reads `~/.gadgethumans/affiliate_id` and includes it in payment metadata/402 responses.
  • `index.js` creates/retrieves Stripe PaymentIntents when caller supplies a Stripe secret key.
Evidence against
  • No code writes AI-agent control surfaces such as MCP config, Claude/Codex/Cursor settings, or slash commands.
  • No child_process, eval/vm/Function, native binary loading, destructive actions, or persistence beyond the affiliate ID file seen.
  • Network/payment endpoints are package-aligned: Stripe SDK calls and `https://swarm.gadgethumans.com/api/x402/` in payment metadata.
  • No credential harvesting or exfiltration found; Stripe secret is caller-supplied and used for Stripe API operations.
  • Main observed behavior matches payment middleware purpose.
Behavioral surface
Source
CryptoFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 47.9 KB of source, external domains: checkout.stripe.com, swarm.gadgethumans.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @gadgethumans/x402@2.0.0 matchedIdentity = npm:QGdhZGdldGh1bWFucy94NDAy:2.0.0 similarity = 0.800 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

index.jsView on unpkg

Findings

2 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighPrevious Version Dangerous Deltaindex.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings