registry  /  paysafe-x402  /  1.1.1

paysafe-x402@1.1.1

PaySafe — a payment security firewall for x402 micropayment traffic. Advisory scanning: PII/secret leaks, replay, overpayment, prompt-injection-triggered payments, counterparty reputation. Non-custodial. Includes an MCP server: npx paysafe-x402

AI Security Review

scanned 18h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The CLI/MCP server performs user-invoked payment-screening API calls; optional CDP verification is package-aligned.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit execution of the CLI/MCP tools or running the service entrypoint.
Impact
Processes caller-supplied payment data and optionally sends it to the configured PaySafe service; no unconsented credential harvesting or control-surface mutation was found.
Mechanism
Payment metadata scanning, local persistence, and configured PaySafe/CDP HTTP requests.
Rationale
Static hints are noisy: the reported invisible Unicode is intentionally embedded in detection regexes, not deceptive executable logic. Source inspection found no install-time execution, exfiltration chain, remote payload execution, persistence, or AI-agent control-surface modification.
Evidence
package.jsondist/mcp/server.jsdist/src/detectors/injection.jsdist/src/detectors/pinning.jsdist/src/index.jsdist/src/scanner.jsdist/src/config.jsdist/src/store.jsdist/src/auditlog.jsdist/src/verdictsign.js
Network endpoints3
paysafe-agent.comapi.cdp.coinbase.com/platform/v2/x402/discovery/merchant?payTo=<encoded>x402.org/facilitator

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks.
    • dist/src/detectors/injection.js uses invisible characters only in regexes that detect hidden text.
    • dist/mcp/server.js sends requests only when its MCP tools are invoked.
    • dist/mcp/server.js forwards PAYSAFE_API_KEY only to the configured PaySafe base URL.
    • dist/src/detectors/pinning.js optionally queries CDP merchant discovery for payment pin verification.
    • No child-process, eval/vm, dynamic loading, or agent-config writes found in dist.
    Behavioral surface
    Source
    CryptoEnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsObfuscatedUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 26 file(s), 133 KB of source, external domains: api.cdp.coinbase.com, api.example.com, paysafe-agent.com, x402.org

    Source & flagged code

    2 flagged · loading source
    dist/src/detectors/injection.jsView file
    9contains invisible/control Unicode U+200B (zero width space) { id: "invisible_chars", re: /[<U+200B><U+200C><U+200D><U+2060><U+FEFF>­]/, label: "invisible/zero-width characters (hidden text)" },
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/src/detectors/injection.jsView on unpkg · L9
    Trigger-reachable chain: manifest.main -> dist/src/index.js -> dist/src/api.js -> dist/src/scanner.js -> dist/src/detectors/injection.js Reachable file contains a blocking source-risk pattern.
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/src/detectors/injection.jsView on unpkg

    Findings

    2 Critical3 Medium5 Low
    CriticalTrojan Source Unicodedist/src/detectors/injection.js
    CriticalTrigger Reachable Dangerous Capabilitydist/src/detectors/injection.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowUrl Strings