Paytoll
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: paytoll Version: 1.0.8 The skill bundle is classified as suspicious due to its high-risk execution model and reliance on external, dynamically loaded components. It executes `npx -y paytoll-mcp`, which downloads and runs a third-party package from npm, posing a significant supply chain risk. This package is granted access to the user's `PRIVATE_KEY` environment variable, which, despite claims of local-only usage for micro-payments, introduces a critical trust dependency. Furthermore, the skill states that the 'MCP server discovers tools dynamically from the API,' meaning the agent's capabilities can change without explicit review of the skill bundle, potentially introducing new, unvetted functionalities. The `SKILL.md` file contains these instructions and requirements.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the MCP package or configuration is compromised or misused, the dedicated wallet's funds and payment authority could be at risk.
The skill requires a raw crypto wallet private key. Even though it recommends a dedicated low-fund wallet, this is high-impact credential access, and the supplied registry metadata separately says no required env vars or primary credential.
requires.env: ["PRIVATE_KEY"] ... A **dedicated** wallet private key set as `PRIVATE_KEY`
Use only a new dedicated wallet with minimal funds, verify the package/source before use, and do not provide a main wallet or high-value private key.
Unexpected or repeated tool use could spend wallet funds even if each individual charge is small.
The skill states that every tool call triggers an automatic payment, but the visible artifact does not define user confirmation, spending caps, or rate limits for repeated agent-invoked calls.
Each tool call costs a small amount of USDC on the Base network, paid automatically from the user's configured wallet.
Set a strict wallet balance limit, monitor charges, and require explicit approval before paid tool calls where possible.
A changed or malicious npm package version could run local code with access to the wallet private key.
The skill runs an npm package via npx -y with no pinned version shown and passes the wallet private key into that process. No code files or lockfile were provided for review.
metadata: {"mcpServers":{"paytoll":{"command":"npx","args":["-y","paytoll-mcp"],"env":{"PRIVATE_KEY":"${PRIVATE_KEY}"}}}}Pin and verify the exact package version, review the repository/package contents, and avoid exposing wallet keys to unreviewed runtime code.
Users may place more trust in the wallet safety model than the reviewed artifacts can justify.
These are strong safety assurances, but the provided artifacts do not include the MCP server code to substantiate them, and repeated small automatic authorizations can still deplete the dedicated wallet balance.
The private key never leaves your machine... The wallet cannot be drained — each payment is a discrete, small authorization.
Treat the safety claims as unverified until the code and payment flow are reviewed; keep only a small amount of funds in the configured wallet.