registry  /  botpay  /  0.1.8

botpay@0.1.8

BotPay Agent Payment Demo CLI

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a payment demo CLI with explicit wallet/payment workflows, but inspected source does not hide credential exfiltration or install-time execution.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the botpay CLI and selects wallet/payment demo options.
Impact
Can move user-funded demo wallet assets when the user follows CLI payment flows; no hidden exfiltration confirmed.
Mechanism
User-invoked x402/WalletConnect payment demo flows
Rationale
Static inspection confirms risky cryptocurrency primitives, but they are part of an explicit user-invoked payment demo CLI and not hidden install/import-time theft or credential exfiltration. Hardcoded receivers and local private-key storage are disclosed in CLI flows, so the scanner's wallet-drain/exfiltration labels are noisy rather than proof of malicious behavior.
Evidence
package.jsoncli.js~/.botpay/agent-wallets.json.vouchers.json.agent-user-ledger.json
Network endpoints9
ethereum.publicnode.combase.publicnode.combsc-dataseed.binance.orgbotpay.network/watch?demo=machinemvp.botpay.network/demomvp.botpay.network/x402/nft-mint/api/verify-and-mintvideo.botpay.network/api/x402/video/watchmvp.botpay.network/demo/video-paywall/agent-accessbotpay-voucher-worker.alexwlex143.workers.dev

Decision evidence

public snapshot
AI called this Clean at 79.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • cli.js imports dotenv and reads BOTPAY_AGENT_* private keys for payment demos
  • cli.js can create local demo wallets and store private keys in ~/.botpay/agent-wallets.json
  • cli.js has user-invoked functions that transfer agent wallet funds to hardcoded receiver addresses
Evidence against
  • package.json has no lifecycle scripts; only bin entrypoint cli.js
  • No install-time execution found; behavior starts when user runs botpay CLI
  • No code sends private keys, env vars, or local wallet files to fetch/RPC endpoints
  • WalletConnect transfers and x402 signatures are displayed as payment demo actions and require CLI menu/user wallet interaction
  • Network endpoints are BotPay/x402/RPC services aligned with the package payment-demo purpose
  • No destructive filesystem writes or AI-agent control-surface mutation found
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 97.7 KB of source, external domains: base.llamarpc.com, base.publicnode.com, basescan.org, binance.llamarpc.com, botpay-voucher-worker.alexwlex143.workers.dev, botpay.network, bsc-dataseed.binance.org, bscscan.com, eth.llamarpc.com, ethereum.publicnode.com, etherscan.io, mvp.botpay.network, video.botpay.network

Source & flagged code

3 flagged · loading source
cli.jsView file
20import "dotenv/config"; L21: import { exec } from "node:child_process"; L22: import readline from "node:readline"; ... L36: function ensureDefaultRpcEnv() { L37: process.env.ETH_RPC_URL ||= "https://ethereum.publicnode.com"; L38: process.env.BASE_RPC_URL ||= "https://base.publicnode.com"; ... L45: L46: const LOCAL_BOTPAY_DIR = path.join(os.homedir(), ".botpay"); L47: const LOCAL_AGENT_WALLETS_FILE = path.join(LOCAL_BOTPAY_DIR, "agent-wallets.json"); ... L49: const LOCAL_AGENT_WALLET_ENV_KEYS = [ L50: { env: "BOTPAY_AGENT_PRIVATE_KEY", label: "Agent Wallet 1" }, L51: { env: "BOTPAY_AGENT_SECOND_PRIVATE_KEY", label: "Agent Wallet 2" },
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

cli.jsView on unpkg · L20
20import "dotenv/config"; L21: import { exec } from "node:child_process"; L22: import readline from "node:readline"; ... L36: function ensureDefaultRpcEnv() { L37: process.env.ETH_RPC_URL ||= "https://ethereum.publicnode.com"; L38: process.env.BASE_RPC_URL ||= "https://base.publicnode.com"; ... L45: L46: const LOCAL_BOTPAY_DIR = path.join(os.homedir(), ".botpay"); L47: const LOCAL_AGENT_WALLETS_FILE = path.join(LOCAL_BOTPAY_DIR, "agent-wallets.json"); ... L49: const LOCAL_AGENT_WALLET_ENV_KEYS = [ L50: { env: "BOTPAY_AGENT_PRIVATE_KEY", label: "Agent Wallet 1" }, L51: { env: "BOTPAY_AGENT_SECOND_PRIVATE_KEY", label: "Agent Wallet 2" },
Critical
Wallet Drain

Source uses private key material to transfer cryptocurrency funds.

cli.jsView on unpkg · L20
20Trigger-reachable chain: manifest.bin -> cli.js L20: import "dotenv/config"; L21: import { exec } from "node:child_process"; L22: import readline from "node:readline"; ... L36: function ensureDefaultRpcEnv() { L37: process.env.ETH_RPC_URL ||= "https://ethereum.publicnode.com"; L38: process.env.BASE_RPC_URL ||= "https://base.publicnode.com"; ... L45: L46: const LOCAL_BOTPAY_DIR = path.join(os.homedir(), ".botpay"); L47: const LOCAL_AGENT_WALLETS_FILE = path.join(LOCAL_BOTPAY_DIR, "agent-wallets.json"); ... L49: const LOCAL_AGENT_WALLET_ENV_KEYS = [ L50: { env: "BOTPAY_AGENT_PRIVATE_KEY", label: "Agent Wallet 1" }, L51: { env: "BOTPAY_AGENT_SECOND_PRIVATE_KEY", label: "Agent Wallet 2" },
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

cli.jsView on unpkg · L20

Findings

3 Critical3 Medium3 Low
CriticalCredential Exfiltrationcli.js
CriticalWallet Draincli.js
CriticalTrigger Reachable Dangerous Capabilitycli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings