AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a payment demo CLI with explicit wallet/payment workflows, but inspected source does not hide credential exfiltration or install-time execution.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the botpay CLI and selects wallet/payment demo options.
Impact
Can move user-funded demo wallet assets when the user follows CLI payment flows; no hidden exfiltration confirmed.
Mechanism
User-invoked x402/WalletConnect payment demo flows
Rationale
Static inspection confirms risky cryptocurrency primitives, but they are part of an explicit user-invoked payment demo CLI and not hidden install/import-time theft or credential exfiltration. Hardcoded receivers and local private-key storage are disclosed in CLI flows, so the scanner's wallet-drain/exfiltration labels are noisy rather than proof of malicious behavior.
Evidence
package.jsoncli.js~/.botpay/agent-wallets.json.vouchers.json.agent-user-ledger.json
Network endpoints9
ethereum.publicnode.combase.publicnode.combsc-dataseed.binance.orgbotpay.network/watch?demo=machinemvp.botpay.network/demomvp.botpay.network/x402/nft-mint/api/verify-and-mintvideo.botpay.network/api/x402/video/watchmvp.botpay.network/demo/video-paywall/agent-accessbotpay-voucher-worker.alexwlex143.workers.dev
Decision evidence
public snapshotAI called this Clean at 79.0% confidence as Benign with medium false-positive risk.
Evidence for block
- cli.js imports dotenv and reads BOTPAY_AGENT_* private keys for payment demos
- cli.js can create local demo wallets and store private keys in ~/.botpay/agent-wallets.json
- cli.js has user-invoked functions that transfer agent wallet funds to hardcoded receiver addresses
Evidence against
- package.json has no lifecycle scripts; only bin entrypoint cli.js
- No install-time execution found; behavior starts when user runs botpay CLI
- No code sends private keys, env vars, or local wallet files to fetch/RPC endpoints
- WalletConnect transfers and x402 signatures are displayed as payment demo actions and require CLI menu/user wallet interaction
- Network endpoints are BotPay/x402/RPC services aligned with the package payment-demo purpose
- No destructive filesystem writes or AI-agent control-surface mutation found
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcecli.jsView file
20import "dotenv/config";
L21: import { exec } from "node:child_process";
L22: import readline from "node:readline";
...
L36: function ensureDefaultRpcEnv() {
L37: process.env.ETH_RPC_URL ||= "https://ethereum.publicnode.com";
L38: process.env.BASE_RPC_URL ||= "https://base.publicnode.com";
...
L45:
L46: const LOCAL_BOTPAY_DIR = path.join(os.homedir(), ".botpay");
L47: const LOCAL_AGENT_WALLETS_FILE = path.join(LOCAL_BOTPAY_DIR, "agent-wallets.json");
...
L49: const LOCAL_AGENT_WALLET_ENV_KEYS = [
L50: { env: "BOTPAY_AGENT_PRIVATE_KEY", label: "Agent Wallet 1" },
L51: { env: "BOTPAY_AGENT_SECOND_PRIVATE_KEY", label: "Agent Wallet 2" },
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
cli.jsView on unpkg · L2020import "dotenv/config";
L21: import { exec } from "node:child_process";
L22: import readline from "node:readline";
...
L36: function ensureDefaultRpcEnv() {
L37: process.env.ETH_RPC_URL ||= "https://ethereum.publicnode.com";
L38: process.env.BASE_RPC_URL ||= "https://base.publicnode.com";
...
L45:
L46: const LOCAL_BOTPAY_DIR = path.join(os.homedir(), ".botpay");
L47: const LOCAL_AGENT_WALLETS_FILE = path.join(LOCAL_BOTPAY_DIR, "agent-wallets.json");
...
L49: const LOCAL_AGENT_WALLET_ENV_KEYS = [
L50: { env: "BOTPAY_AGENT_PRIVATE_KEY", label: "Agent Wallet 1" },
L51: { env: "BOTPAY_AGENT_SECOND_PRIVATE_KEY", label: "Agent Wallet 2" },
Critical
Wallet Drain
Source uses private key material to transfer cryptocurrency funds.
cli.jsView on unpkg · L2020Trigger-reachable chain: manifest.bin -> cli.js
L20: import "dotenv/config";
L21: import { exec } from "node:child_process";
L22: import readline from "node:readline";
...
L36: function ensureDefaultRpcEnv() {
L37: process.env.ETH_RPC_URL ||= "https://ethereum.publicnode.com";
L38: process.env.BASE_RPC_URL ||= "https://base.publicnode.com";
...
L45:
L46: const LOCAL_BOTPAY_DIR = path.join(os.homedir(), ".botpay");
L47: const LOCAL_AGENT_WALLETS_FILE = path.join(LOCAL_BOTPAY_DIR, "agent-wallets.json");
...
L49: const LOCAL_AGENT_WALLET_ENV_KEYS = [
L50: { env: "BOTPAY_AGENT_PRIVATE_KEY", label: "Agent Wallet 1" },
L51: { env: "BOTPAY_AGENT_SECOND_PRIVATE_KEY", label: "Agent Wallet 2" },
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
cli.jsView on unpkg · L20Findings
3 Critical3 Medium3 Low
CriticalCredential Exfiltrationcli.js
CriticalWallet Draincli.js
CriticalTrigger Reachable Dangerous Capabilitycli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings