Tyrpay Buyer Skill
WarnAudited by ClawScan on May 14, 2026.
Overview
This TyrPay buyer skill is coherent and not clearly malicious, but it gives an agent wallet-backed payment authority without documented spend limits or required user approval.
Only install this with a dedicated low-balance wallet or constrained signer, and require manual approval for every transaction. Review and pin the TyrPay packages before use, because this bundle contains only instructions and not the actual implementation.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the runtime exposes these tools with a funded signer, an agent could lock funds into a TyrPay task based on mistaken, manipulated, or overly broad instructions.
This documents a tool that can create and fund a payment task. The artifacts do not state that a human must approve the amount, seller, task terms, or funding action before the agent uses the tool.
`tyrpay_post_task`: creates a task and optionally waits for seller commitment and funds it.
Require explicit user confirmation before any funding or refund action, enforce spend caps, show the task amount and counterparty before signing, and prefer a dedicated low-balance wallet.
A broadly configured signer could give the agent more wallet authority than the user intended for a single TyrPay purchase flow.
A signer is wallet authority for payment operations. The artifacts do not bound which signer should be used, how credentials are protected, what spending authority is allowed, or how the user can revoke or constrain that authority.
Construct `BuyerSdk` with a signer, settlement address, and storage adapter.
Use a dedicated wallet or limited signer, avoid exposing broad private-key authority, document credential requirements, and configure explicit transaction approval gates.
Installing unreviewed or unpinned external packages could expose the wallet/payment workflow to implementation or dependency risk.
The reviewed bundle is instruction-only, so the actual runtime packages are outside the provided artifacts and are not version-pinned here. This is expected for a setup guide, but users must verify the external packages.
Install `@tyrpay/buyer-skill`, `@tyrpay/buyer-sdk`, and a storage adapter.
Install from a trusted registry, pin package versions, review package provenance, and test with a low-value wallet before production use.