registry  /  botpay  /  0.2.2

botpay@0.2.2

Developer CLI for free x402 Bazaar discovery, direct payments, BotPay services, and escrow vouchers

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The explicit legacy demo can create local agent wallets and execute user-driven x402 USDC transfers. Its multi-agent flow ultimately sends funds to a fixed external wallet address.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `botpay demo` and selects/funds the interactive multi-agent payment flow.
Impact
A user who funds the demo can cause downstream transfers to a hard-coded recipient; private keys are persisted locally for demo wallets.
Mechanism
Interactive WalletConnect-funded multi-wallet USDC relay.
Rationale
Source inspection confirms an explicit, high-risk crypto-transfer demo with a fixed recipient, but no install-time execution, covert exfiltration, or unconsented wallet drain. Treat it as a warning-worthy dangerous capability rather than a confirmed malicious package.
Evidence
package.jsonbin/botpay.jssrc/cli.jssrc/botpay-services.jscli.jssrc/x402.js~/.botpay/agent-wallets.json.vouchers.json.agent-user-ledger.json
Network endpoints4
botpay-voucher-worker.alexwlex143.workers.devmvp.botpay.networkvideo.botpay.networkbase.llamarpc.com

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `cli.js` legacy demo creates seven local private-key wallets at import time.
  • `cli.js` routes multi-agent USDC settlement to hard-coded `0xcC1984E79726E7a0ae2b9Df2ac9e79Fb4983930e`.
  • `src/cli.js` exposes the legacy behavior only through explicit `botpay demo`.
  • `src/botpay-services.js` supports user-confirmed x402 payment and full-balance refund operations.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook.
  • `bin/botpay.js` normally invokes `src/cli.js`, not the legacy demo.
  • Production payment, voucher, and refund commands require `--yes` in `src/cli.js`.
  • No credential harvesting, arbitrary remote-code loading, eval/vm use, or AI-agent configuration writes found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 211 KB of source, external domains: api.cdp.coinbase.com, base.llamarpc.com, base.publicnode.com, basescan.org, binance.llamarpc.com, botpay-scan.alexwlex143.workers.dev, botpay-voucher-worker.alexwlex143.workers.dev, botpay.network, bsc-dataseed.binance.org, bscscan.com, eth.llamarpc.com, ethereum.publicnode.com, etherscan.io, mvp.botpay.network, video.botpay.network, x.botpay.network

Source & flagged code

3 flagged · loading source
cli.jsView file
20import "dotenv/config"; L21: import { exec } from "node:child_process"; L22: import readline from "node:readline"; ... L36: function ensureDefaultRpcEnv() { L37: process.env.ETH_RPC_URL ||= "https://ethereum.publicnode.com"; L38: process.env.BASE_RPC_URL ||= "https://base.publicnode.com"; ... L45: L46: const LOCAL_BOTPAY_DIR = path.join(os.homedir(), ".botpay"); L47: const LOCAL_AGENT_WALLETS_FILE = path.join(LOCAL_BOTPAY_DIR, "agent-wallets.json"); ... L49: const LOCAL_AGENT_WALLET_ENV_KEYS = [ L50: { env: "BOTPAY_AGENT_PRIVATE_KEY", label: "Agent Wallet 1" }, L51: { env: "BOTPAY_AGENT_SECOND_PRIVATE_KEY", label: "Agent Wallet 2" },
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

cli.jsView on unpkg · L20
20import "dotenv/config"; L21: import { exec } from "node:child_process"; L22: import readline from "node:readline"; ... L36: function ensureDefaultRpcEnv() { L37: process.env.ETH_RPC_URL ||= "https://ethereum.publicnode.com"; L38: process.env.BASE_RPC_URL ||= "https://base.publicnode.com"; ... L45: L46: const LOCAL_BOTPAY_DIR = path.join(os.homedir(), ".botpay"); L47: const LOCAL_AGENT_WALLETS_FILE = path.join(LOCAL_BOTPAY_DIR, "agent-wallets.json"); ... L49: const LOCAL_AGENT_WALLET_ENV_KEYS = [ L50: { env: "BOTPAY_AGENT_PRIVATE_KEY", label: "Agent Wallet 1" }, L51: { env: "BOTPAY_AGENT_SECOND_PRIVATE_KEY", label: "Agent Wallet 2" },
Critical
Wallet Drain

Source uses private key material to transfer cryptocurrency funds.

cli.jsView on unpkg · L20
src/account.jsView file
matchType = previous_version_dangerous_delta matchedPackage = botpay@0.2.1 matchedIdentity = npm:Ym90cGF5:0.2.1 similarity = 0.941 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/account.jsView on unpkg

Findings

3 Critical2 Medium5 Low
CriticalCredential Exfiltrationcli.js
CriticalWallet Draincli.js
CriticalPrevious Version Dangerous Deltasrc/account.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings