Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Paytoll
v1.0.827 tools for DeFi, DEX swaps, cross-chain bridges, Twitter/X, on-chain token data, crypto utilities, and LLM access via x402 micro-payments on Base. No API keys needed — payment is the auth.
⭐ 3· 1.4k·1 current·1 all-time
by@foodaka
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (27 DeFi/DEX/bridges/LLM micro-pay tools paid via Base USDC) matches the tool list in SKILL.md and the need for a wallet to pay microfees is plausible. However the registry-level metadata shown earlier (no required env vars or bins) contradicts the SKILL.md header which declares requires.env: ["PRIVATE_KEY"] and requires.bins: ["node"]. That mismatch is concerning and unexplained.
Instruction Scope
SKILL.md instructs the agent to run an MCP client via npx (metadata: mcpServers.paytoll.command = npx -y paytoll-mcp) and to use a PRIVATE_KEY env var for signing EIP‑712 payment authorizations. The instructions claim the private key "never leaves your machine" and that the MCP only receives signed payment authorizations, but there is no verifiable enforcement here — the runtime will fetch and execute remote code which could in principle transmit more data. The instructions are otherwise scoped to the stated features and do not request unrelated system files, but the broad phrase 'paid automatically from the user's configured wallet' implies autonomous signing/payment behavior that increases risk if the agent can call the skill without additional user confirmation.
Install Mechanism
There is no formal install spec, but the SKILL.md metadata specifies runtime execution via npx -y paytoll-mcp. npx dynamically fetches and runs an npm package (un-pinned), which is moderate-to-high risk: code is fetched at runtime from the npm registry with no integrity/pinning or reproducible install specified. The linked GitHub repo gives a place to audit, but dynamic npx execution means the published npm package could differ from the repo or change later.
Credentials
The only declared required environment variable is PRIVATE_KEY, which is proportionate to the stated payment-auth model (micro-payments require signing). However, a private key is highly sensitive. The SKILL.md asks for a "dedicated" wallet with minimal funds (good guidance), but providing a raw PRIVATE_KEY to a runtime that will execute remotely-fetched JavaScript raises a real risk of key exfiltration if the runtime misbehaves. Also note the top-level registry data earlier that claimed no required env vars — that inconsistency is suspicious.
Persistence & Privilege
always: false (good). The skill is allowed to be invoked autonomously (disable-model-invocation: false), which is the platform default. Combined with the PRIVATE_KEY requirement and the runtime npx client, autonomous invocation increases blast radius (the skill could sign payments without explicit per-call confirmation unless the agent enforces it). The skill does not request system-wide config changes.
What to consider before installing
This skill is plausible for pay-per-call DeFi tools, but exercise caution: 1) The SKILL.md requires a PRIVATE_KEY and node and instructs running an npx package at runtime — npx will fetch and execute remote code, so do not expose your main wallet key. 2) Use a dedicated, funded-with-minimal-amounts wallet (as advised) or a read-only / watch-only signer when possible. 3) Before enabling the skill, review the npm package and the linked GitHub repo to confirm that signing is done locally and nothing is exfiltrated; prefer a pinned package version or running audited code locally rather than npx -y fetching latest. 4) Because the registry metadata contradicted the SKILL.md, ask the publisher to clarify and provide a reproducible install and package integrity info (exact npm package version / checksum). 5) If you must test, do so in an isolated environment or VM with a throwaway wallet. If you want help auditing the linked GitHub or npm package, provide the package name/version and I can list the files/entry points to check.Like a lobster shell, security has layers — review code before you run it.
latestvk97dnc4nnvh9306bkx7n8pqfmx80y10z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.