registry  /  botpay  /  0.1.9

botpay@0.1.9

BotPay Agent Payment Demo CLI

AI Security Review

scanned 8d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Running botpay CLI and selecting payment demo menu options or direct args such as wallet/nft/video.
Impact
Funds explicitly deposited into the agent/demo flow can be transferred to hardcoded receivers or BotPay x402 services.
Mechanism
user-invoked crypto payment automation with local agent private keys
Policy narrative
The CLI is a payment demo that generates or reads agent wallet keys, connects to MetaMask via WalletConnect, and performs selected payment/voucher/x402 flows. Some flows move funds to hardcoded BotPay receiver or treasury addresses after user menu interaction and wallet funding/approval. I did not find lifecycle execution, stealth credential upload, or automatic wallet draining merely from installation.
Rationale
The package exposes high-risk crypto payment automation, but the risky transfers are user-invoked and package-aligned rather than hidden install/import-time malware. Warn is appropriate because hardcoded receivers and local private-key signing create real loss risk if users misunderstand the demo flow.
Evidence
package.jsoncli.js~/.botpay/agent-wallets.json.vouchers.json.agent-user-ledger.json
Network endpoints10
ethereum.publicnode.combase.publicnode.combsc-dataseed.binance.orgbase.llamarpc.cometh.llamarpc.combinance.llamarpc.commvp.botpay.network/x402/nft-mint/api/verify-and-mintvideo.botpay.network/api/x402/video/watchbotpay-voucher-worker.alexwlex143.workers.devbotpay.network

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • cli.js creates/loads local private keys at runtime in ~/.botpay/agent-wallets.json.
  • cli.js signs transactions/x402 authorizations with BOTPAY_AGENT_PRIVATE_KEY and related env keys.
  • cli.js contains hardcoded payout/treasury receivers and sends user/agent funds to them in selected demos.
  • cli.js contacts BotPay/voucher/x402 endpoints and public RPC endpoints for payment flows.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks.
  • The only declared entrypoint is user-invoked bin cli.js.
  • No code found that sends raw private keys or env contents to a remote endpoint.
  • Wallet funding and payment flows print recipient/amount prompts and require menu selection or wallet approval.
  • Hardcoded network/payment behavior is aligned with a BotPay payment demo package.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 103 KB of source, external domains: base.llamarpc.com, base.publicnode.com, basescan.org, binance.llamarpc.com, botpay-voucher-worker.alexwlex143.workers.dev, botpay.network, bsc-dataseed.binance.org, bscscan.com, eth.llamarpc.com, ethereum.publicnode.com, etherscan.io, mvp.botpay.network, video.botpay.network

Source & flagged code

3 flagged · loading source
cli.jsView file
20import "dotenv/config"; L21: import { exec } from "node:child_process"; L22: import readline from "node:readline"; ... L36: function ensureDefaultRpcEnv() { L37: process.env.ETH_RPC_URL ||= "https://ethereum.publicnode.com"; L38: process.env.BASE_RPC_URL ||= "https://base.publicnode.com"; ... L45: L46: const LOCAL_BOTPAY_DIR = path.join(os.homedir(), ".botpay"); L47: const LOCAL_AGENT_WALLETS_FILE = path.join(LOCAL_BOTPAY_DIR, "agent-wallets.json"); ... L49: const LOCAL_AGENT_WALLET_ENV_KEYS = [ L50: { env: "BOTPAY_AGENT_PRIVATE_KEY", label: "Agent Wallet 1" }, L51: { env: "BOTPAY_AGENT_SECOND_PRIVATE_KEY", label: "Agent Wallet 2" },
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

cli.jsView on unpkg · L20
20import "dotenv/config"; L21: import { exec } from "node:child_process"; L22: import readline from "node:readline"; ... L36: function ensureDefaultRpcEnv() { L37: process.env.ETH_RPC_URL ||= "https://ethereum.publicnode.com"; L38: process.env.BASE_RPC_URL ||= "https://base.publicnode.com"; ... L45: L46: const LOCAL_BOTPAY_DIR = path.join(os.homedir(), ".botpay"); L47: const LOCAL_AGENT_WALLETS_FILE = path.join(LOCAL_BOTPAY_DIR, "agent-wallets.json"); ... L49: const LOCAL_AGENT_WALLET_ENV_KEYS = [ L50: { env: "BOTPAY_AGENT_PRIVATE_KEY", label: "Agent Wallet 1" }, L51: { env: "BOTPAY_AGENT_SECOND_PRIVATE_KEY", label: "Agent Wallet 2" },
Critical
Wallet Drain

Source uses private key material to transfer cryptocurrency funds.

cli.jsView on unpkg · L20
20Trigger-reachable chain: manifest.bin -> cli.js L20: import "dotenv/config"; L21: import { exec } from "node:child_process"; L22: import readline from "node:readline"; ... L36: function ensureDefaultRpcEnv() { L37: process.env.ETH_RPC_URL ||= "https://ethereum.publicnode.com"; L38: process.env.BASE_RPC_URL ||= "https://base.publicnode.com"; ... L45: L46: const LOCAL_BOTPAY_DIR = path.join(os.homedir(), ".botpay"); L47: const LOCAL_AGENT_WALLETS_FILE = path.join(LOCAL_BOTPAY_DIR, "agent-wallets.json"); ... L49: const LOCAL_AGENT_WALLET_ENV_KEYS = [ L50: { env: "BOTPAY_AGENT_PRIVATE_KEY", label: "Agent Wallet 1" }, L51: { env: "BOTPAY_AGENT_SECOND_PRIVATE_KEY", label: "Agent Wallet 2" },
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

cli.jsView on unpkg · L20

Findings

3 Critical3 Medium3 Low
CriticalCredential Exfiltrationcli.js
CriticalWallet Draincli.js
CriticalTrigger Reachable Dangerous Capabilitycli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings