Skillv0.3.2

ClawScan security

BoltzPay · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 1, 2026, 4:27 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (paying for API data) is plausible, but there are inconsistencies and risky operational details — notably sensitive payment credentials, runtime npx execution of remote JS, incomplete metadata about optional credentials/protocols, and an unknown/unclear source — so proceed with caution and verification before installing.
Guidance: Key things to consider before installing or providing credentials: - Provenance: The registry lists 'Source: unknown' and no homepage; verify the upstream project (GitHub, npm, official docs) and the package author before running npx or installing. Do not trust links in the SKILL.md without independently verifying them. - Test credentials / least privilege: Never supply primary production Coinbase/TEMPO/Stripe secrets to a new skill. Use test/dev accounts or keys with minimal funds. If possible, use keys restricted to only the necessary scopes. - Limit spending: If you need to trial this skill, set a strict BOLTZPAY_DAILY_BUDGET and/or create a dedicated wallet with a small balance. The SKILL.md lists this env var as optional — consider making it mandatory for any real deployment. - Audit the package: Because the CLI is run via npx (remote code execution), review the @boltzpay CLI / @boltzpay SDK code on npm/GitHub (audit for unexpected network calls, telemetry, or credential exfiltration) before running it in an environment with secrets. - Metadata mismatch: Ask the publisher/maintainer why TEMPO_PRIVATE_KEY, NWC_CONNECTION_STRING, and STRIPE_SECRET_KEY are referenced in the docs but not declared in the registry 'requires.env' and why the registry shows no verified source. Clarify exact install steps and package origins. - Control autonomous behavior: If you cannot fully trust the package yet, disable autonomous model invocation for this skill or require explicit user consent before the agent runs any fetch/pay operation. - Start with read-only commands: Use discover/quote/diagnose first (these are shown as not requiring credentials) to validate behavior and the registry results before enabling fetch/payment commands. If you want, I can: (a) draft a short checklist/question list to request from the publisher, (b) show commands to inspect the npm package contents before executing it with npx, or (c) suggest how to create constrained/test credentials for Coinbase/Tempo/Stripe.

Review Dimensions

Purpose & Capability: noteThe name/description (automatic payments across x402/L402/MPP and multiple chains) aligns with the CLI commands shown. Requiring Coinbase CDP credentials for USDC on Base is consistent with the x402 use-case. However the SKILL.md also documents other payment credentials (TEMPO_PRIVATE_KEY, NWC_CONNECTION_STRING, STRIPE_SECRET_KEY) but those are not declared in the registry metadata's required env list, and the registry metadata lists no homepage/source even though the documentation links to GitHub/npm/docs. The overall capability is plausible but the metadata/instructions are not fully consistent.
Instruction Scope: concernRuntime instructions tell the agent to run npx @boltzpay/cli commands (which will fetch and execute JS from npm). The SKILL.md distinguishes which commands 'need credentials' (fetch) but also includes wallet/budget/history commands that access wallet/payment state. The SKILL.md references additional environment variables (TEMPO_PRIVATE_KEY, NWC_CONNECTION_STRING, STRIPE_SECRET_KEY, BOLTZPAY_DAILY_BUDGET) that are not present in the registry 'requires.env' list — an inconsistency. Using npx means remote code will be executed at runtime, which is expected for a CLI but increases risk when paired with live payment credentials.
Install Mechanism: concernDeclared binary dependency is only npx and the metadata lists a node install entry for a BoltzPay CLI, but there's no pinned package source or clear install URL in the registry metadata. The SKILL.md examples rely on npx/@boltzpay/cli and npm/@boltzpay/sdk links, so installing/running will fetch code from npm at runtime. Fetching and executing remote JS via npx/npm is common for CLIs but is higher-risk than an instruction-only skill because it executes third-party code not bundled in the skill. Also the registry entry's 'Source: unknown' / 'Homepage: none' increases uncertainty about provenance.
Credentials: concernThe skill requests highly sensitive payment credentials (COINBASE_API_KEY_ID, COINBASE_API_KEY_SECRET, COINBASE_WALLET_SECRET) which are reasonable for making payments, but the declared required env list omits other payment credentials the SKILL.md describes (TEMPO_PRIVATE_KEY, NWC_CONNECTION_STRING, STRIPE_SECRET_KEY). Allowing the agent to hold and use live payment keys without strong metadata or enforced limits (BOLTZPAY_DAILY_BUDGET is optional) is disproportionate unless the user strictly limits funds or uses test credentials. The skill also gives the agent the ability to perform autonomous payments (model invocation is enabled by default).
Persistence & Privilege: noteThe skill does not set always:true (so it's not forced into every run). Model invocation is enabled (default), meaning the agent could call this skill autonomously. Autonomous invocation is the platform default — not a problem on its own — but when combined with the ability to execute npx-fetched code and supply live payment credentials, the blast radius of misuse increases. The skill does not declare any special persistent system-wide modifications, but it can execute remote CLI code at runtime.