registry  /  botpay  /  0.1.10

botpay@0.1.10

BotPay Agent Payment Demo CLI

AI Security Review

scanned 8d ago · by lpm-firewall-ai

User-invoked CLI creates local demo wallets and can move crypto funds through x402/payment demo flows. The risky behavior is explicit crypto transfer capability to hardcoded demo/receiver addresses, not install-time execution or confirmed secret exfiltration.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Running the botpay CLI and selecting payment/autopay/orchestration options
Impact
Funds placed into generated agent wallets can be automatically transferred to hardcoded receivers or demo services after user menu actions.
Mechanism
local wallet generation plus WalletConnect/x402 crypto transfers
Attack narrative
When run, the CLI auto-generates local demo agent private keys if none are configured. User-selected flows can request wallet funding and then use those agent keys to make x402 or on-chain transfers, including hardcoded receiver addresses. The source does not show install-time activation or direct private-key exfiltration, but the crypto-moving capability and hardcoded settlement destinations are high risk.
Rationale
Source inspection confirms a user-invoked crypto payment demo with hardcoded receivers and automatic agent-wallet transfers, but not lifecycle-triggered malware, credential exfiltration, or unconsented agent control-surface mutation. This warrants a warning rather than a publish block.
Evidence
package.jsoncli.js~/.botpay/agent-wallets.json.vouchers.json.agent-user-ledger.json
Network endpoints6
ethereum.publicnode.combase.publicnode.combsc-dataseed.binance.orgmvp.botpay.network/x402/nft-mint/api/verify-and-mintvideo.botpay.network/api/x402/video/watchbotpay-voucher-worker.alexwlex143.workers.dev

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • cli.js creates local agent private keys at startup in ~/.botpay/agent-wallets.json if env key is absent
  • cli.js has user-invoked flows that transfer native tokens/USDC from agent wallets to hardcoded receivers
  • Multi-agent flow sends user-funded USDC through generated agent wallets to final receiver 0xcC1984E79726E7a0ae2b9Df2ac9e79Fb4983930e
  • Network calls go to package/demo endpoints and public RPCs, including x402 payment APIs
Evidence against
  • package.json has no npm lifecycle scripts; execution is via bin cli.js
  • No evidence that private keys or environment variables are sent directly to a remote endpoint
  • Wallet funding requires WalletConnect/MetaMask approval and CLI prompts show recipient/amount context
  • No AI-agent control-surface writes, persistence hooks, eval/vm, native binary loading, or remote code execution found
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 108 KB of source, external domains: base.llamarpc.com, base.publicnode.com, basescan.org, binance.llamarpc.com, botpay-voucher-worker.alexwlex143.workers.dev, botpay.network, bsc-dataseed.binance.org, bscscan.com, eth.llamarpc.com, ethereum.publicnode.com, etherscan.io, mvp.botpay.network, video.botpay.network

Source & flagged code

3 flagged · loading source
cli.jsView file
20import "dotenv/config"; L21: import { exec } from "node:child_process"; L22: import readline from "node:readline"; ... L36: function ensureDefaultRpcEnv() { L37: process.env.ETH_RPC_URL ||= "https://ethereum.publicnode.com"; L38: process.env.BASE_RPC_URL ||= "https://base.publicnode.com"; ... L45: L46: const LOCAL_BOTPAY_DIR = path.join(os.homedir(), ".botpay"); L47: const LOCAL_AGENT_WALLETS_FILE = path.join(LOCAL_BOTPAY_DIR, "agent-wallets.json"); ... L49: const LOCAL_AGENT_WALLET_ENV_KEYS = [ L50: { env: "BOTPAY_AGENT_PRIVATE_KEY", label: "Agent Wallet 1" }, L51: { env: "BOTPAY_AGENT_SECOND_PRIVATE_KEY", label: "Agent Wallet 2" },
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

cli.jsView on unpkg · L20
20import "dotenv/config"; L21: import { exec } from "node:child_process"; L22: import readline from "node:readline"; ... L36: function ensureDefaultRpcEnv() { L37: process.env.ETH_RPC_URL ||= "https://ethereum.publicnode.com"; L38: process.env.BASE_RPC_URL ||= "https://base.publicnode.com"; ... L45: L46: const LOCAL_BOTPAY_DIR = path.join(os.homedir(), ".botpay"); L47: const LOCAL_AGENT_WALLETS_FILE = path.join(LOCAL_BOTPAY_DIR, "agent-wallets.json"); ... L49: const LOCAL_AGENT_WALLET_ENV_KEYS = [ L50: { env: "BOTPAY_AGENT_PRIVATE_KEY", label: "Agent Wallet 1" }, L51: { env: "BOTPAY_AGENT_SECOND_PRIVATE_KEY", label: "Agent Wallet 2" },
Critical
Wallet Drain

Source uses private key material to transfer cryptocurrency funds.

cli.jsView on unpkg · L20
20Trigger-reachable chain: manifest.bin -> cli.js L20: import "dotenv/config"; L21: import { exec } from "node:child_process"; L22: import readline from "node:readline"; ... L36: function ensureDefaultRpcEnv() { L37: process.env.ETH_RPC_URL ||= "https://ethereum.publicnode.com"; L38: process.env.BASE_RPC_URL ||= "https://base.publicnode.com"; ... L45: L46: const LOCAL_BOTPAY_DIR = path.join(os.homedir(), ".botpay"); L47: const LOCAL_AGENT_WALLETS_FILE = path.join(LOCAL_BOTPAY_DIR, "agent-wallets.json"); ... L49: const LOCAL_AGENT_WALLET_ENV_KEYS = [ L50: { env: "BOTPAY_AGENT_PRIVATE_KEY", label: "Agent Wallet 1" }, L51: { env: "BOTPAY_AGENT_SECOND_PRIVATE_KEY", label: "Agent Wallet 2" },
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

cli.jsView on unpkg · L20

Findings

3 Critical3 Medium3 Low
CriticalCredential Exfiltrationcli.js
CriticalWallet Draincli.js
CriticalTrigger Reachable Dangerous Capabilitycli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings