AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. This is a payment CLI whose wallet creation, network use, and USDC transfers are activated by explicit user commands and payment confirmations.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs BotPay commands, especially `execute`, `call --yes`, or `demo`.
Impact
Can transfer funds from the user-configured/local agent wallet only when the user invokes a payment flow and confirms it.
Mechanism
User-confirmed x402 payment and wallet-management operations.
Rationale
The scanner's wallet and environment findings correspond to the package's stated payment functionality. Source inspection found no install-time execution, secret exfiltration, stealth persistence, or unconsented transfer path.
Evidence
package.jsonbin/botpay.jssrc/cli.jssrc/wallet.jssrc/x402.jssrc/botpay-services.jscli.jssrc/config.js
Decision evidence
public snapshotAI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
- `cli.js` legacy demo can create local demo wallets and initiate x402 USDC transfers.
- `src/cli.js` permits payments only through explicit commands with `--yes` confirmation.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare hook.
- `bin/botpay.js` only invokes `src/cli.js` after the user runs the CLI.
- `src/cli.js` uses `spawn` only for explicit `botpay demo` and safe URL opening.
- `src/wallet.js` stores the package-owned agent wallet locally with mode 0600.
- Reviewed network calls target configured RPC, BotPay, Bazaar, and user-supplied x402 endpoints; no credential-upload path found.
- No eval, remote code loading, destructive filesystem action, or AI-agent control-surface mutation found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcecli.jsView file
20import "dotenv/config";
L21: import { exec } from "node:child_process";
L22: import readline from "node:readline";
...
L36: function ensureDefaultRpcEnv() {
L37: process.env.ETH_RPC_URL ||= "https://ethereum.publicnode.com";
L38: process.env.BASE_RPC_URL ||= "https://base.publicnode.com";
...
L45:
L46: const LOCAL_BOTPAY_DIR = path.join(os.homedir(), ".botpay");
L47: const LOCAL_AGENT_WALLETS_FILE = path.join(LOCAL_BOTPAY_DIR, "agent-wallets.json");
...
L49: const LOCAL_AGENT_WALLET_ENV_KEYS = [
L50: { env: "BOTPAY_AGENT_PRIVATE_KEY", label: "Agent Wallet 1" },
L51: { env: "BOTPAY_AGENT_SECOND_PRIVATE_KEY", label: "Agent Wallet 2" },
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
cli.jsView on unpkg · L2020import "dotenv/config";
L21: import { exec } from "node:child_process";
L22: import readline from "node:readline";
...
L36: function ensureDefaultRpcEnv() {
L37: process.env.ETH_RPC_URL ||= "https://ethereum.publicnode.com";
L38: process.env.BASE_RPC_URL ||= "https://base.publicnode.com";
...
L45:
L46: const LOCAL_BOTPAY_DIR = path.join(os.homedir(), ".botpay");
L47: const LOCAL_AGENT_WALLETS_FILE = path.join(LOCAL_BOTPAY_DIR, "agent-wallets.json");
...
L49: const LOCAL_AGENT_WALLET_ENV_KEYS = [
L50: { env: "BOTPAY_AGENT_PRIVATE_KEY", label: "Agent Wallet 1" },
L51: { env: "BOTPAY_AGENT_SECOND_PRIVATE_KEY", label: "Agent Wallet 2" },
Critical
Wallet Drain
Source uses private key material to transfer cryptocurrency funds.
cli.jsView on unpkg · L20Findings
2 Critical2 Medium5 Low
CriticalCredential Exfiltrationcli.js
CriticalWallet Draincli.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings