registry  /  paysafe-x402  /  1.1.3

paysafe-x402@1.1.3

PaySafe — a payment security firewall for x402 micropayment traffic. Advisory scanning: PII/secret leaks, replay, overpayment, prompt-injection-triggered payments, counterparty reputation. Non-custodial. Includes an MCP server: npx paysafe-x402

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is an explicitly run HTTP/MCP payment-screening service with package-aligned persistence and network calls.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Direct server launch, or explicit invocation of an MCP tool after launching the package CLI.
Impact
No install-time execution, credential harvesting, remote payload execution, destructive behavior, or foreign AI-agent control-surface mutation was found.
Mechanism
x402 payment scanning and MCP proxying to its configured PaySafe service.
Rationale
The scanner's Trojan Source finding is a false positive: the characters appear deliberately inside detection regexes. Source inspection found only package-aligned service behavior, with no concrete malicious chain.
Evidence
package.jsondist/src/detectors/injection.jsdist/mcp/server.jsdist/src/index.jsdist/src/store.jsdist/src/config.jsdist/src/detectors/pinning.jsdist/src/detectors/scoutscore.js

Decision evidence

public snapshot
AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no preinstall/install/postinstall lifecycle hooks.
    • `dist/src/detectors/injection.js` uses invisible Unicode only in regexes that detect hidden input text.
    • No child-process, shell, eval/vm, dynamic module-loading, native, or binary-loading primitives were found.
    • `dist/mcp/server.js` makes API requests only after an explicit MCP tool invocation.
    • `dist/src/store.js` persists service state under configured `DATA_DIR`; no foreign AI-agent config paths are referenced.
    • `dist/src/index.js` starts the Express service only when its runtime entrypoint is launched.
    Behavioral surface
    Source
    CryptoEnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsObfuscatedUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 32 file(s), 205 KB of source, external domains: api.cdp.coinbase.com, api.example.com, github.com, paysafe-agent.com, scoutscore.ai, x402.org

    Source & flagged code

    2 flagged · loading source
    dist/src/detectors/injection.jsView file
    9contains invisible/control Unicode U+200B (zero width space) { id: "invisible_chars", re: /[<U+200B><U+200C><U+200D><U+2060><U+FEFF>­]/, label: "invisible/zero-width characters (hidden text)" },
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/src/detectors/injection.jsView on unpkg · L9
    Trigger-reachable chain: manifest.main -> dist/src/index.js -> dist/src/api.js -> dist/src/scanner.js -> dist/src/detectors/injection.js Reachable file contains a blocking source-risk pattern.
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/src/detectors/injection.jsView on unpkg

    Findings

    2 Critical3 Medium5 Low
    CriticalTrojan Source Unicodedist/src/detectors/injection.js
    CriticalTrigger Reachable Dangerous Capabilitydist/src/detectors/injection.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowUrl Strings