Paytoll
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
Paytoll appears to be a coherent crypto tool integration, but it requires a wallet private key, runs an unpinned npm MCP server, and automatically spends USDC per tool call without clear budget or approval controls.
Install only if you are comfortable running the referenced MCP package with access to a dedicated low-balance wallet private key. Verify the npm/GitHub source, pin the package version if possible, never use your main wallet, and monitor or limit automatic paid tool calls.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the MCP package or configuration is compromised or misused, the dedicated wallet's funds and payment authority could be at risk.
The skill requires a raw crypto wallet private key. Even though it recommends a dedicated low-fund wallet, this is high-impact credential access, and the supplied registry metadata separately says no required env vars or primary credential.
requires.env: ["PRIVATE_KEY"] ... A **dedicated** wallet private key set as `PRIVATE_KEY`
Use only a new dedicated wallet with minimal funds, verify the package/source before use, and do not provide a main wallet or high-value private key.
Unexpected or repeated tool use could spend wallet funds even if each individual charge is small.
The skill states that every tool call triggers an automatic payment, but the visible artifact does not define user confirmation, spending caps, or rate limits for repeated agent-invoked calls.
Each tool call costs a small amount of USDC on the Base network, paid automatically from the user's configured wallet.
Set a strict wallet balance limit, monitor charges, and require explicit approval before paid tool calls where possible.
A changed or malicious npm package version could run local code with access to the wallet private key.
The skill runs an npm package via npx -y with no pinned version shown and passes the wallet private key into that process. No code files or lockfile were provided for review.
metadata: {"mcpServers":{"paytoll":{"command":"npx","args":["-y","paytoll-mcp"],"env":{"PRIVATE_KEY":"${PRIVATE_KEY}"}}}}Pin and verify the exact package version, review the repository/package contents, and avoid exposing wallet keys to unreviewed runtime code.
Users may place more trust in the wallet safety model than the reviewed artifacts can justify.
These are strong safety assurances, but the provided artifacts do not include the MCP server code to substantiate them, and repeated small automatic authorizations can still deplete the dedicated wallet balance.
The private key never leaves your machine... The wallet cannot be drained — each payment is a discrete, small authorization.
Treat the safety claims as unverified until the code and payment flow are reviewed; keep only a small amount of funds in the configured wallet.