registry  /  paysafe-x402  /  1.1.0

paysafe-x402@1.1.0

PaySafe — a payment security firewall for x402 micropayment traffic. Advisory scanning: PII/secret leaks, replay, overpayment, prompt-injection-triggered payments, counterparty reputation. Non-custodial. Includes an MCP server: npx paysafe-x402

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime network use is package-aligned payment-scanning/MCP API communication, and local writes support the package's own service state.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit MCP tool invocation or starting the documented HTTP service.
Impact
No evidence of unconsented execution, exfiltration, destructive behavior, or AI-agent control-surface modification.
Mechanism
Payment-security scanning, optional API calls, and local state persistence.
Rationale
The scanner's Trojan Source hit is a false positive: the only invisible characters are intentionally matched by an injection-detection regex, while the full packaged source contains no such controls. Source inspection found no install-time execution or concrete malicious behavior; network and persistence features match the stated payment-firewall service.
Evidence
package.jsondist/mcp/server.jsdist/src/detectors/injection.jsdist/src/detectors/pinning.jsdist/src/store.jsdist/src/verdictsign.jsdist/src/index.jsdist/src/scanner.jsdist/src/sanitize.jsdist/src/auditlog.js
Network endpoints3
paysafe-agent.comapi.cdp.coinbase.com/platform/v2/x402/discovery/merchantx402.org/facilitator

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no preinstall/install/postinstall hooks.
    • `dist/src/detectors/injection.js` embeds zero-width characters only in a detector regex; full-source scan found no bidi/zero-width controls.
    • `dist/mcp/server.js` exposes explicit MCP tools and sends requests only to configured PaySafe service endpoints.
    • No child-process, shell, eval/vm, dynamic module loading, credential harvesting, or agent-config mutation found.
    • Filesystem writes in `store.js`, `auditlog.js`, and `verdictsign.js` are local service state, audit records, and a mode-0600 signing key.
    Behavioral surface
    Source
    CryptoEnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsObfuscatedUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 26 file(s), 133 KB of source, external domains: api.cdp.coinbase.com, api.example.com, paysafe-agent.com, x402.org

    Source & flagged code

    2 flagged · loading source
    dist/src/detectors/injection.jsView file
    9contains invisible/control Unicode U+200B (zero width space) { id: "invisible_chars", re: /[<U+200B><U+200C><U+200D><U+2060><U+FEFF>­]/, label: "invisible/zero-width characters (hidden text)" },
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/src/detectors/injection.jsView on unpkg · L9
    Trigger-reachable chain: manifest.main -> dist/src/index.js -> dist/src/api.js -> dist/src/scanner.js -> dist/src/detectors/injection.js Reachable file contains a blocking source-risk pattern.
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/src/detectors/injection.jsView on unpkg

    Findings

    2 Critical3 Medium5 Low
    CriticalTrojan Source Unicodedist/src/detectors/injection.js
    CriticalTrigger Reachable Dangerous Capabilitydist/src/detectors/injection.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowUrl Strings