Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
1ly Payments
v1.0.4Agent-native payments via 1ly MCP. Use when the user needs x402 payment handling, to accept USDC for APIs/services, to pay for paid APIs, to create stores or...
⭐ 0· 1.8k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Functionality (buy/sell/payments, wallets, budgets, token tools) aligns with a payments MCP skill. Declared required binaries (mcporter, npx) and the node install of mcporter are consistent with the described workflow. However, the registry metadata lists no required environment variables while SKILL.md documents many sensitive env vars (wallet keys, budgets, API key) — that mismatch is a coherence/metadata issue.
Instruction Scope
SKILL.md explicitly instructs installing mcporter and running an @1ly/mcp-server via npx, setting wallet private keys (file paths or inline), and running payment/seller commands. These actions inherently read/write sensitive data (private keys, ONELY_API_KEY) and create local state files. While necessary for payments, the instructions allow persistent storage of secrets and autonomous spending if budgets are set — a dangerous capability if misconfigured or abused.
Install Mechanism
Install uses npm to install mcporter and recommends running npx @1ly/mcp-server@0.1.6. This is a common but non-trivial install path (third-party npm packages run code on install/run). The SKILL.md suggests verifying npm dist.integrity, which is good practice. Still, npm packages are an execution risk compared with an instruction-only skill.
Credentials
SKILL.md requires highly sensitive environment values (Solana/EVM private keys or inline secrets, ONELY_API_KEY, budget variables). The registry metadata did not declare these env requirements or a primary credential, which is inconsistent and increases surprise risk. Requesting private keys and an API key is proportionate for a payments tool, but the lack of explicit metadata and persistence of these secrets to config paths raises concern.
Persistence & Privilege
Skill metadata and SKILL.md indicate the skill will save seller API keys and budget state to user config paths (e.g., ~/Library/Application Support/1ly/onely_api_key.json, ~/.1ly-mcp-budget.json). It does not request always:true, but it does persist credentials to disk and can enable autonomous spending when budgets are configured — both increase long-term risk and require careful user control.
What to consider before installing
Before installing: 1) Treat the skill as sensitive — it asks for crypto private keys (files or inline) and will save API keys and budget state to your home config. Only supply keys you control and are comfortable storing locally. 2) Verify the npm packages and publisher names (mcporter, @1ly/mcp-server@0.1.6) and confirm the package integrity value before running npx. 3) If you do enable autonomous spending, set explicit budgets (or set ONELY_BUDGET_PER_CALL=0 to disable) and review budget state files regularly. 4) Prefer using a sandboxed or isolated environment and minimal test funds first. 5) Ask the maintainer for source code or a trusted homepage and an updated registry manifest that declares the env vars this SKILL.md requires — the current metadata omits them, which is a red flag.Like a lobster shell, security has layers — review code before you run it.
apisvk974rkhv5jq11e1xm2cj406c7580ambjbasevk974rkhv5jq11e1xm2cj406c7580ambjlatestvk97610ft6b7ymq1x9wv9d78t2d819412monetizationvk974rkhv5jq11e1xm2cj406c7580ambjpaymentvk974rkhv5jq11e1xm2cj406c7580ambjpaymentsvk974rkhv5jq11e1xm2cj406c7580ambjsolanavk974rkhv5jq11e1xm2cj406c7580ambjusdcvk974rkhv5jq11e1xm2cj406c7580ambjx402vk974rkhv5jq11e1xm2cj406c7580ambj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💸 Clawdis
Binsmcporter, npx
Install
Install mcporter
Bins: mcporter
npm i -g mcporter