PayGents
WarnAudited by ClawScan on May 10, 2026.
Overview
PayGents is a mostly coherent no-custody crypto payment helper, but some scripts build executable Node.js code from unvalidated chain IDs, which could let crafted input run unintended local code.
Do not use this skill with untrusted user-supplied chain IDs until the scripts are patched. If you do use it, verify every wallet approval screen, consider configuring a private RPC endpoint, and clear stored wallet preferences when they are no longer wanted.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent passes an attacker-controlled chain ID into this script, the script could run unintended local code under the user's account.
The --chain-id value is copied from a command argument and embedded directly into a Node.js source string without numeric validation, so a crafted chain ID could break out of the quoted string and execute unintended JavaScript.
--chain-id) CHAIN_ID="${2:-}"; shift 2 ;; ... RPC="$(node -e "const c=require('$SCRIPT_DIR/lib/rpc-config.js'); const r=c.getRpc('$CHAIN_ID'); if(!r){process.exit(1)} process.stdout.write(r)")"Validate chain IDs with a strict numeric allowlist before use, and pass values to Node via process.argv or environment variables rather than interpolating them into node -e code.
A maliciously crafted chain ID used while generating a receipt could cause unintended local code execution.
The receipt script also embeds the user-supplied --chain-id into dynamically generated Node.js code, including a raw expression position, without validating that it is only digits.
--chain-id) CHAIN_ID="${2:-}"; shift 2 ;; ... CHAIN_NAME="$(node -e "const c=require('$SCRIPT_DIR/lib/rpc-config.js'); const m=c.getChainMeta('$CHAIN_ID'); process.stdout.write(m?m.name:'Chain '+$CHAIN_ID)")"Add strict input validation for --chain-id and avoid constructing executable code with shell-expanded variables.
The agent can present payment links, but funds should only move if the user approves the transaction in their wallet.
The tool creates wallet deeplinks that prefill crypto transfers. This is the stated purpose and the message tells the user to verify the recipient and amount before approval.
"deeplink": "${DEEPLINK}", "messageTemplate": "Payment request: ${AMOUNT} ${SYMBOL} to ${SHORT_TO}. Tap to open ${WALLET_DISPLAY} and approve. Reject if recipient or amount doesn't match."Only approve wallet prompts after independently checking the recipient, amount, token, and chain shown in the wallet.
Public RPC providers may learn which wallet addresses or transactions are being checked from the user's environment.
Balance checks, transaction verification, and receipts use external RPC providers by default, which can observe queried wallet addresses and transaction hashes.
Public providers (e.g. `eth.llamarpc.com`) will see your wallet addresses and tx hashes. Resolution order: env var `RPC_<chainId>` → `config.json` → public fallback.
Use a trusted private RPC endpoint through RPC_<chainId> or config.json if wallet-query privacy matters.
The agent may keep using a remembered wallet choice in later conversations.
The skill instructs the agent to persist a wallet preference. This is low-sensitivity and disclosed, but it is still persistent context that can become stale or incorrect.
Ask once, remember forever. ... Store the user's wallet preference so you don't ask again. The agent should note the preference in its local session context (e.g. memory file).
Allow users to review, change, or clear the remembered wallet preference and avoid storing anything beyond the wallet type.