registry  /  botpay  /  0.1.14

botpay@0.1.14

BotPay Agent Payment Demo CLI

AI Security Review

scanned 2d ago · by lpm-firewall-ai

High-risk payment automation exists, but it is part of a user-invoked BotPay demo CLI rather than install-time malware. No private key exfiltration or unprompted package-install execution was confirmed.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs botpay CLI and selects wallet, autopay, orchestration, voucher, NFT, or video flows.
Impact
Can spend funds from package-specific agent wallets or user-approved WalletConnect transfers to BotPay/demo receivers and endpoints.
Mechanism
interactive crypto payment automation using local agent wallets and x402 signatures
Rationale
The package contains real wallet-spending capabilities, but they are aligned with an agent-payment demo CLI, require explicit runtime interaction, and are not activated by npm lifecycle hooks. Because funds can be automatically forwarded after a user funding step, warn rather than mark fully clean.
Evidence
package.jsoncli.js~/.botpay/agent-wallets.json.vouchers.json.agent-user-ledger.json
Network endpoints8
ethereum.publicnode.combase.publicnode.combsc-dataseed.binance.orgmvp.botpay.network/x402/nft-mint/api/verify-and-mintvideo.botpay.network/api/x402/video/watchbotpay-voucher-worker.alexwlex143.workers.devwurkapi.fun/base/xlikes?amount=10scan.botpay.network

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • cli.js:46-138 creates/stores local demo private keys in ~/.botpay/agent-wallets.json at CLI startup if BOTPAY_AGENT_PRIVATE_KEY is absent.
  • cli.js:1887-2099 implements automatic native/USDC split payments from the agent wallet to hardcoded receiver addresses.
  • cli.js:2959-3138 orchestrates seven generated agent private keys and ultimately settles funded Base USDC to hardcoded MULTI_WALLET_RELAY_FINAL_RECEIVER.
  • cli.js:1232-1288 sends x402 signed payment headers and JSON bodies to remote payment endpoints.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • package.json exposes only a user-invoked bin cli.js; no import-time dependency hook beyond CLI execution.
  • cli.js uses package-specific BOTPAY_AGENT_* env vars, not broad credential harvesting.
  • Payment flows are interactive/menu or argument selected and print recipients, amounts, and wallet approval prompts before transfer.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 109 KB of source, external domains: base.llamarpc.com, base.publicnode.com, basescan.org, binance.llamarpc.com, botpay-voucher-worker.alexwlex143.workers.dev, botpay.network, bsc-dataseed.binance.org, bscscan.com, eth.llamarpc.com, ethereum.publicnode.com, etherscan.io, mvp.botpay.network, scan.botpay.network, video.botpay.network, wurkapi.fun

Source & flagged code

3 flagged · loading source
cli.jsView file
20import "dotenv/config"; L21: import { exec } from "node:child_process"; L22: import readline from "node:readline"; ... L36: function ensureDefaultRpcEnv() { L37: process.env.ETH_RPC_URL ||= "https://ethereum.publicnode.com"; L38: process.env.BASE_RPC_URL ||= "https://base.publicnode.com"; ... L45: L46: const LOCAL_BOTPAY_DIR = path.join(os.homedir(), ".botpay"); L47: const LOCAL_AGENT_WALLETS_FILE = path.join(LOCAL_BOTPAY_DIR, "agent-wallets.json"); ... L49: const LOCAL_AGENT_WALLET_ENV_KEYS = [ L50: { env: "BOTPAY_AGENT_PRIVATE_KEY", label: "Agent Wallet 1" }, L51: { env: "BOTPAY_AGENT_SECOND_PRIVATE_KEY", label: "Agent Wallet 2" },
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

cli.jsView on unpkg · L20
20import "dotenv/config"; L21: import { exec } from "node:child_process"; L22: import readline from "node:readline"; ... L36: function ensureDefaultRpcEnv() { L37: process.env.ETH_RPC_URL ||= "https://ethereum.publicnode.com"; L38: process.env.BASE_RPC_URL ||= "https://base.publicnode.com"; ... L45: L46: const LOCAL_BOTPAY_DIR = path.join(os.homedir(), ".botpay"); L47: const LOCAL_AGENT_WALLETS_FILE = path.join(LOCAL_BOTPAY_DIR, "agent-wallets.json"); ... L49: const LOCAL_AGENT_WALLET_ENV_KEYS = [ L50: { env: "BOTPAY_AGENT_PRIVATE_KEY", label: "Agent Wallet 1" }, L51: { env: "BOTPAY_AGENT_SECOND_PRIVATE_KEY", label: "Agent Wallet 2" },
Critical
Wallet Drain

Source uses private key material to transfer cryptocurrency funds.

cli.jsView on unpkg · L20
20Trigger-reachable chain: manifest.bin -> cli.js L20: import "dotenv/config"; L21: import { exec } from "node:child_process"; L22: import readline from "node:readline"; ... L36: function ensureDefaultRpcEnv() { L37: process.env.ETH_RPC_URL ||= "https://ethereum.publicnode.com"; L38: process.env.BASE_RPC_URL ||= "https://base.publicnode.com"; ... L45: L46: const LOCAL_BOTPAY_DIR = path.join(os.homedir(), ".botpay"); L47: const LOCAL_AGENT_WALLETS_FILE = path.join(LOCAL_BOTPAY_DIR, "agent-wallets.json"); ... L49: const LOCAL_AGENT_WALLET_ENV_KEYS = [ L50: { env: "BOTPAY_AGENT_PRIVATE_KEY", label: "Agent Wallet 1" }, L51: { env: "BOTPAY_AGENT_SECOND_PRIVATE_KEY", label: "Agent Wallet 2" },
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

cli.jsView on unpkg · L20

Findings

3 Critical3 Medium3 Low
CriticalCredential Exfiltrationcli.js
CriticalWallet Draincli.js
CriticalTrigger Reachable Dangerous Capabilitycli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings