Eth Payment

PassAudited by ClawScan on May 10, 2026.

Overview

The skill appears to be a local payment-link and QR-code generator with no credentials or transaction execution, but users should verify generated blockchain details before using them.

This skill looks safe for local payment-link generation, but crypto payment requests are financially sensitive. Install the Python dependencies carefully, verify the recipient and token contract addresses, and check the final transaction details in the wallet before anyone pays.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

A malformed or incorrect token address could create an unusable or incorrect payment request, though the skill does not itself execute a transaction.

Why it was flagged

The skill relies on bundled token configuration to generate payment links; this DAI address appears malformed, so users should independently verify token contract addresses before sharing generated links.

Skill content

"DAI": { "address": "0x6B175474E89094C44Da98b954EessdeCD8398fE", "decimals": 18 }

Recommendation

Verify recipient addresses, token contract addresses, network, and amount in the receiving wallet before sharing or using generated payment links.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Installing packages changes the local Python environment and depends on package-source trust.

Why it was flagged

The skill requires installing third-party Python packages for QR generation. This is disclosed and purpose-aligned, but it is still a local dependency installation step.

Skill content

pip install qrcode pillow

Recommendation

Install dependencies from a trusted Python package index and preferably inside a virtual environment.

Info

#ASI02: Tool Misuse and Exploitation

What this means

The skill may create or overwrite a QR image file wherever the user directs it.

Why it was flagged

The script can write a generated QR image to a user-provided path. This is disclosed and central to the skill's QR-code purpose.

Skill content

if args.qr and result.get("success"):
        qr_result = generate_qr_code(result["links"]["metamask"], args.qr)

Recommendation

Choose an appropriate output path and avoid overwriting important files.