Bluepages
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches a Bluepages lookup use case, but it asks for wallet/payment authority and uses an unpinned GitHub MCP server without clear spending safeguards.
Install only if you trust the Bluepages MCP package. Use an API key instead of a wallet private key when possible; if you must use a private key, create a dedicated wallet with minimal funds and require explicit approval for any paid lookup or credit purchase.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the key is overfunded or mishandled by the MCP package, funds in that wallet could be spent. Even normal lookups may incur charges.
The skill explicitly accepts an Ethereum private key, which is a high-impact credential that can authorize blockchain payments. This is purpose-related, but it grants more authority than a read-only lookup API key.
`PRIVATE_KEY` — Ethereum private key for x402 pay-per-request (USDC on Base).
Prefer BLUEPAGES_API_KEY when possible. If using PRIVATE_KEY, use only a dedicated, minimally funded wallet and rotate/remove the key after use.
An agent could potentially spend more than the user intended if payment tools are invoked without clear confirmation.
The tool list includes a financial action that can spend USDC using the provided private key, but the instructions do not specify an explicit confirmation step, amount cap, or approval rule before purchases.
`purchase_credits` | `$5–$600 USDC` | `Buy credits via x402 (PRIVATE_KEY only)`
Require explicit user approval before any credit purchase or x402 payment, and document hard spending limits.
Users must trust remote code that was not available in this review to handle sensitive credentials and paid actions safely.
The MCP runtime is pulled from a GitHub package without a pinned version or reviewed code in the submitted artifacts. This matters because that package is expected to handle API keys, private keys, and payments.
node | package: github:bluepagesdoteth/bluepages-mcp
Pin the MCP package to a specific audited release or commit, publish reviewable source artifacts, and avoid giving it a private key unless necessary.