AI Security Review
scanned 2d ago · by lpm-firewall-aiHigh-risk payment automation exists, but it is part of a user-invoked BotPay demo CLI rather than install-time malware. No private key exfiltration or unprompted package-install execution was confirmed.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs botpay CLI and selects wallet, autopay, orchestration, voucher, NFT, or video flows.
Impact
Can spend funds from package-specific agent wallets or user-approved WalletConnect transfers to BotPay/demo receivers and endpoints.
Mechanism
interactive crypto payment automation using local agent wallets and x402 signatures
Rationale
The package contains real wallet-spending capabilities, but they are aligned with an agent-payment demo CLI, require explicit runtime interaction, and are not activated by npm lifecycle hooks. Because funds can be automatically forwarded after a user funding step, warn rather than mark fully clean.
Evidence
package.jsoncli.js~/.botpay/agent-wallets.json.vouchers.json.agent-user-ledger.json
Network endpoints8
ethereum.publicnode.combase.publicnode.combsc-dataseed.binance.orgmvp.botpay.network/x402/nft-mint/api/verify-and-mintvideo.botpay.network/api/x402/video/watchbotpay-voucher-worker.alexwlex143.workers.devwurkapi.fun/base/xlikes?amount=10scan.botpay.network
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- cli.js:46-138 creates/stores local demo private keys in ~/.botpay/agent-wallets.json at CLI startup if BOTPAY_AGENT_PRIVATE_KEY is absent.
- cli.js:1887-2099 implements automatic native/USDC split payments from the agent wallet to hardcoded receiver addresses.
- cli.js:2959-3138 orchestrates seven generated agent private keys and ultimately settles funded Base USDC to hardcoded MULTI_WALLET_RELAY_FINAL_RECEIVER.
- cli.js:1232-1288 sends x402 signed payment headers and JSON bodies to remote payment endpoints.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle scripts.
- package.json exposes only a user-invoked bin cli.js; no import-time dependency hook beyond CLI execution.
- cli.js uses package-specific BOTPAY_AGENT_* env vars, not broad credential harvesting.
- Payment flows are interactive/menu or argument selected and print recipients, amounts, and wallet approval prompts before transfer.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcecli.jsView file
20import "dotenv/config";
L21: import { exec } from "node:child_process";
L22: import readline from "node:readline";
...
L36: function ensureDefaultRpcEnv() {
L37: process.env.ETH_RPC_URL ||= "https://ethereum.publicnode.com";
L38: process.env.BASE_RPC_URL ||= "https://base.publicnode.com";
...
L45:
L46: const LOCAL_BOTPAY_DIR = path.join(os.homedir(), ".botpay");
L47: const LOCAL_AGENT_WALLETS_FILE = path.join(LOCAL_BOTPAY_DIR, "agent-wallets.json");
...
L49: const LOCAL_AGENT_WALLET_ENV_KEYS = [
L50: { env: "BOTPAY_AGENT_PRIVATE_KEY", label: "Agent Wallet 1" },
L51: { env: "BOTPAY_AGENT_SECOND_PRIVATE_KEY", label: "Agent Wallet 2" },
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
cli.jsView on unpkg · L2020import "dotenv/config";
L21: import { exec } from "node:child_process";
L22: import readline from "node:readline";
...
L36: function ensureDefaultRpcEnv() {
L37: process.env.ETH_RPC_URL ||= "https://ethereum.publicnode.com";
L38: process.env.BASE_RPC_URL ||= "https://base.publicnode.com";
...
L45:
L46: const LOCAL_BOTPAY_DIR = path.join(os.homedir(), ".botpay");
L47: const LOCAL_AGENT_WALLETS_FILE = path.join(LOCAL_BOTPAY_DIR, "agent-wallets.json");
...
L49: const LOCAL_AGENT_WALLET_ENV_KEYS = [
L50: { env: "BOTPAY_AGENT_PRIVATE_KEY", label: "Agent Wallet 1" },
L51: { env: "BOTPAY_AGENT_SECOND_PRIVATE_KEY", label: "Agent Wallet 2" },
Critical
Wallet Drain
Source uses private key material to transfer cryptocurrency funds.
cli.jsView on unpkg · L2020Trigger-reachable chain: manifest.bin -> cli.js
L20: import "dotenv/config";
L21: import { exec } from "node:child_process";
L22: import readline from "node:readline";
...
L36: function ensureDefaultRpcEnv() {
L37: process.env.ETH_RPC_URL ||= "https://ethereum.publicnode.com";
L38: process.env.BASE_RPC_URL ||= "https://base.publicnode.com";
...
L45:
L46: const LOCAL_BOTPAY_DIR = path.join(os.homedir(), ".botpay");
L47: const LOCAL_AGENT_WALLETS_FILE = path.join(LOCAL_BOTPAY_DIR, "agent-wallets.json");
...
L49: const LOCAL_AGENT_WALLET_ENV_KEYS = [
L50: { env: "BOTPAY_AGENT_PRIVATE_KEY", label: "Agent Wallet 1" },
L51: { env: "BOTPAY_AGENT_SECOND_PRIVATE_KEY", label: "Agent Wallet 2" },
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
cli.jsView on unpkg · L20Findings
3 Critical3 Medium3 Low
CriticalCredential Exfiltrationcli.js
CriticalWallet Draincli.js
CriticalTrigger Reachable Dangerous Capabilitycli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings