1ly Payments
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent payment integration that discloses its crypto wallet and budget use, but users should treat it as high-impact because it can spend, trade, and manage seller/payment state.
Install only if you are comfortable giving an agent payment authority. Use a dedicated low-balance wallet, set explicit low daily/per-call budgets or disable auto-spend, verify the npm package, and require manual review for irreversible financial or seller-account actions.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you opt in and set budgets, the agent may spend within those limits without asking every time; token trades and withdrawals can affect real funds.
The tools can perform financial actions, including paid API calls, token trades, and withdrawals. The artifact also states that budgeted autonomous spend can skip per-call confirmation. This is disclosed and aligned with the payment purpose, but users should notice the impact.
“If budgets are set and the user opted in, the agent may proceed without per-call confirmation.” … “1ly_call”: pay and call a paid API … “1ly_trade_token”: trade tokens … “1ly_withdraw”: request a withdrawal
Use low explicit budgets, set ONELY_BUDGET_PER_CALL=0 if you do not want auto-spend, and require manual confirmation for irreversible payments, trades, withdrawals, and deletions.
A configured wallet or seller key can authorize crypto payments, token operations, and seller account actions.
The skill uses wallet private keys and seller API credentials for payment and seller workflows. This is expected for the stated purpose and the artifacts do not show unrelated credential use, but the credentials are high-impact.
`ONELY_WALLET_SOLANA_KEY=/path/to/solana-wallet.json` … `ONELY_WALLET_EVM_KEY=/path/to/evm.key` … “Seller tools only: `ONELY_API_KEY` (auto-saved after `1ly_create_store`).”
Use a dedicated low-balance wallet, prefer the Coinbase Agentic Wallet option where suitable, protect key files, avoid inline private keys where logs may capture them, and revoke seller keys if no longer needed.
The agent will depend on external npm code to handle payments and credentials.
The runnable MCP implementation is pulled from npm rather than included in the reviewed files. The versioned npx command and integrity-check instruction are useful, but users still rely on the external package.
`npm install -g mcporter` … `mcporter config add 1ly --command "npx @1ly/mcp-server@0.1.6"` … `npm view @1ly/mcp-server dist.integrity`
Install only from trusted npm sources, verify package integrity before use, and keep the MCP server updated intentionally rather than accepting unexpected package changes.