registry  /  botpay  /  0.1.11

botpay@0.1.11

BotPay Agent Payment Demo CLI

AI Security Review

scanned 7d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs botpay CLI and selects wallet/agent payment demos or direct demo arguments.
Impact
Potential loss of funds if users fund the generated agent wallets or approve transfers without understanding hardcoded recipients.
Mechanism
user-invoked crypto payment orchestration with local private-key wallets
Policy narrative
On CLI execution, botpay auto-creates local agent wallets if BOTPAY_AGENT_PRIVATE_KEY is absent. Interactive demos then connect a user wallet through WalletConnect, request funding or approvals, and use local agent keys/x402 calls to pay hardcoded BotPay, voucher, or Wurk endpoints and receiver addresses. The behavior is payment-demo aligned and disclosed in prompts, but it is a dangerous capability involving real funds.
Rationale
Static inspection confirms dangerous crypto payment automation but not unconsented install-time execution, hidden credential exfiltration, or silent wallet draining. Because activation is user-invoked and package-aligned, warn rather than block.
Evidence
package.jsoncli.js~/.botpay/agent-wallets.json.vouchers.json.agent-user-ledger.json
Network endpoints8
ethereum.publicnode.combase.publicnode.combsc-dataseed.binance.orgbotpay.networkmvp.botpay.network/x402/nft-mint/api/verify-and-mintvideo.botpay.network/api/x402/video/watchbotpay-voucher-worker.alexwlex143.workers.devwurkapi.fun/base/xlikes?amount=10

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • cli.js creates seven local demo wallets and writes private keys to ~/.botpay/agent-wallets.json at CLI startup when env key is absent.
  • cli.js contains user-invoked flows that request WalletConnect approvals and transfer real native tokens/USDC to hardcoded receiver addresses.
  • cli.js multi-agent flow forwards user-funded Base USDC through generated agent wallets to a hardcoded final receiver.
  • cli.js sends x402 requests and voucher data to botpay/wurk/worker endpoints using local agent signing keys.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hook; execution is via bin cli.js.
  • Dangerous payment flows are menu/argument driven and print receivers/amounts before wallet approval or agent transfer.
  • No source evidence of private key/env exfiltration; private keys are used locally for ethers/x402 signing.
  • No AI-agent control surface, shell startup, VCS hook, daemon, or foreign config mutation found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 108 KB of source, external domains: base.llamarpc.com, base.publicnode.com, basescan.org, binance.llamarpc.com, botpay-voucher-worker.alexwlex143.workers.dev, botpay.network, bsc-dataseed.binance.org, bscscan.com, eth.llamarpc.com, ethereum.publicnode.com, etherscan.io, mvp.botpay.network, video.botpay.network, wurkapi.fun

Source & flagged code

3 flagged · loading source
cli.jsView file
20import "dotenv/config"; L21: import { exec } from "node:child_process"; L22: import readline from "node:readline"; ... L36: function ensureDefaultRpcEnv() { L37: process.env.ETH_RPC_URL ||= "https://ethereum.publicnode.com"; L38: process.env.BASE_RPC_URL ||= "https://base.publicnode.com"; ... L45: L46: const LOCAL_BOTPAY_DIR = path.join(os.homedir(), ".botpay"); L47: const LOCAL_AGENT_WALLETS_FILE = path.join(LOCAL_BOTPAY_DIR, "agent-wallets.json"); ... L49: const LOCAL_AGENT_WALLET_ENV_KEYS = [ L50: { env: "BOTPAY_AGENT_PRIVATE_KEY", label: "Agent Wallet 1" }, L51: { env: "BOTPAY_AGENT_SECOND_PRIVATE_KEY", label: "Agent Wallet 2" },
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

cli.jsView on unpkg · L20
20import "dotenv/config"; L21: import { exec } from "node:child_process"; L22: import readline from "node:readline"; ... L36: function ensureDefaultRpcEnv() { L37: process.env.ETH_RPC_URL ||= "https://ethereum.publicnode.com"; L38: process.env.BASE_RPC_URL ||= "https://base.publicnode.com"; ... L45: L46: const LOCAL_BOTPAY_DIR = path.join(os.homedir(), ".botpay"); L47: const LOCAL_AGENT_WALLETS_FILE = path.join(LOCAL_BOTPAY_DIR, "agent-wallets.json"); ... L49: const LOCAL_AGENT_WALLET_ENV_KEYS = [ L50: { env: "BOTPAY_AGENT_PRIVATE_KEY", label: "Agent Wallet 1" }, L51: { env: "BOTPAY_AGENT_SECOND_PRIVATE_KEY", label: "Agent Wallet 2" },
Critical
Wallet Drain

Source uses private key material to transfer cryptocurrency funds.

cli.jsView on unpkg · L20
20Trigger-reachable chain: manifest.bin -> cli.js L20: import "dotenv/config"; L21: import { exec } from "node:child_process"; L22: import readline from "node:readline"; ... L36: function ensureDefaultRpcEnv() { L37: process.env.ETH_RPC_URL ||= "https://ethereum.publicnode.com"; L38: process.env.BASE_RPC_URL ||= "https://base.publicnode.com"; ... L45: L46: const LOCAL_BOTPAY_DIR = path.join(os.homedir(), ".botpay"); L47: const LOCAL_AGENT_WALLETS_FILE = path.join(LOCAL_BOTPAY_DIR, "agent-wallets.json"); ... L49: const LOCAL_AGENT_WALLET_ENV_KEYS = [ L50: { env: "BOTPAY_AGENT_PRIVATE_KEY", label: "Agent Wallet 1" }, L51: { env: "BOTPAY_AGENT_SECOND_PRIVATE_KEY", label: "Agent Wallet 2" },
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

cli.jsView on unpkg · L20

Findings

3 Critical3 Medium3 Low
CriticalCredential Exfiltrationcli.js
CriticalWallet Draincli.js
CriticalTrigger Reachable Dangerous Capabilitycli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings