Agentpay
WarnAudited by ClawScan on May 10, 2026.
Overview
AgentPay is openly designed to make real purchases, but it handles payment credentials and exposes payment-related tools with unclear MCP boundaries while making an overbroad claim that nothing leaves the machine.
Install only if you trust the AgentPay npm package and are comfortable giving it payment credentials. Use a low-limit or virtual card, set strict budgets, approve every purchase manually, and do not enable HTTP MCP access unless it is securely restricted. Do not assume that payment or order data stays only on your machine during real website checkout.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved, the tool can place real orders and create real charges.
The skill is explicitly capable of completing real merchant checkout flows and submitting orders. This is aligned with its purpose, but it is high-impact financial automation.
Adds to cart → Fills checkout form → Injects credentials from vault → Submits order
Use strict budgets, review merchant, item, URL, amount, shipping, and subscription terms before approving any transaction.
Your payment card details are stored locally and can be used by the checkout workflow after approval.
The skill stores and later uses payment credentials. The artifacts describe encryption and human setup, so this is purpose-aligned, but it is still sensitive account authority.
Human enters payment credentials, sets passphrase. Creates encrypted vault at `~/.agentpay/vault.enc`.
Only set this up on a trusted machine, consider using a virtual or low-limit card, and set conservative per-transaction and total budgets.
If the MCP server is enabled too broadly, another agent or client may be able to access payment-related operations or purchase history, and potentially initiate sensitive workflows.
The MCP/HTTP integration is described as callable by any compatible agent, but the artifacts do not define authentication, caller identity, per-agent permissions, or which payment operations are human-only.
`npx agentpay mcp --http` ... `exposes AgentPay operations as MCP tools that any compatible agent can call directly`
Avoid enabling the HTTP MCP mode unless it is bound locally and protected; prefer stdio, restrict allowed tools, and ensure approval actions cannot be invoked by agents.
Users may underestimate where their payment and purchase data goes during checkout.
The 'nothing leaves the machine' claim is overbroad because an online checkout necessarily sends order, shipping, and payment details to merchant/payment systems; the referenced Stagehand/Browserbase browser environment is also not clearly scoped.
`Injects payment credentials from the encrypted vault` ... `Submits the order` ... `Local-first — no servers, no cloud, nothing leaves the machine`
Treat checkout as sharing data with the merchant and payment processor, and ask the publisher to document exact data flows, third parties, and whether any browser automation is hosted.
The actual code handling payment credentials was not visible in these artifacts.
The reviewed artifacts do not include the npm package implementation, while that package is expected to collect card details, store the vault, and drive checkout.
Source: unknown; Homepage: none; Install specifications: node | package: agentpay | creates binaries: agentpay
Verify the npm package publisher, source repository, version, and reputation before entering any payment information.