Skillv0.2.0

ClawScan security

Agentpay · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:30 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's actions match its stated purpose (local encrypted vault + headless checkout), but key red flags — an unverified npm package with no source/homepage, an undeclared local vault path, and an MCP/HTTP dashboard that can open network endpoints — make this risky until you vet the package and runtime behavior.
Guidance: Before installing or enabling this skill: 1) Do not install the npm package until you can inspect its source code or verify the publisher (check the package owner, repo, GitHub org, and recent publish history). 2) Verify where the package stores the vault (~/.agentpay/vault.enc) and ensure it has appropriate file permissions; ensure the code actually uses AES-256-GCM/Ed25519 as claimed. 3) Avoid enabling MCP HTTP or dashboard ports unless you run the tool in an isolated environment (VM/container) and restrict network access; those features expose local services that could be abused. 4) Prefer to have the human run setup and keep the passphrase offline; restrict agent autonomy so it can only propose purchases and cannot approve or start network services without explicit human action. 5) If you cannot audit the package, treat it as untrusted: run it in a disposable sandbox and monitor outbound network activity and filesystem writes. 6) If you want to proceed, require human approval for any setup that writes credentials and confirm the package's integrity (checksums/signatures) from a trusted source.

Review Dimensions

Purpose & Capability: noteThe name/description (automated purchases, encrypted credential vault, headless checkout) lines up with the declared install (npm package 'agentpay') and the runtime instructions (use npx agentpay commands). However the skill metadata and README reference a local vault at ~/.agentpay/vault.enc and a cryptographic approval flow but the registry metadata provides no source repo or homepage to verify the implementation. That lack of provenance is an unexplained gap.
Instruction Scope: concernSKILL.md and references instruct the agent to run npx agentpay buy/approve/status and to start an MCP server (npx agentpay mcp --http) and a dashboard (agentpay dashboard). Those commands imply creating and reading a local encrypted vault (~/.agentpay/vault.enc), launching a headless browser to inject credentials into merchant pages, and possibly opening HTTP endpoints. The instructions do not ask the agent to read unrelated files or env vars, but they do enable network-exposed services and local vault access — behavior broader than a simple CLI helper and potentially dangerous if the underlying npm package is untrusted.
Install Mechanism: concernInstall is an npm package ('agentpay') that creates the agentpay binary. This is expected for a CLI SDK, but there is no source repository, homepage, or author information provided to audit the package. Installing an npm package that handles payment credentials without provenance is high risk because arbitrary code will run on the host. The install is moderate-risk by mechanism (npm) but high-risk in context (handling secrets).
Credentials: noteThe skill requests no environment variables or primary credential, which is proportionate to its claim of local-first operation. However the runtime docs reference a specific config path (~/.agentpay/vault.enc) that is not declared in the skill metadata's required config paths. The absence of declared config paths and explicit permissions is a gap — the agent/tool will create and read a vault on disk, which is sensitive and should be explicitly noted.
Persistence & Privilege: concernThe skill does not set always:true (good), but it supports starting long-lived services (MCP stdio/http transport and a dashboard on a port). Those capabilities let other local or networked processes invoke AgentPay operations. Combined with an unverified installable package that handles payment credentials, the ability to open HTTP endpoints and dashboards increases attack surface and risk of unauthorized requests or lateral access if misconfigured.