MoonPay Commerce (Helio) Accept Crypto Payments
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears purpose-aligned for managing MoonPay Commerce payment links, but it uses merchant API credentials and can create or disable payment links.
Use this only with a MoonPay Commerce account you control. Run setup yourself, verify amounts and currencies before creating payment links, avoid disable/enable actions unless intended, and clear the saved credentials when you are done.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An unintended command could create a live payment link or disable an existing payment link.
The helper performs authenticated state-changing operations on the merchant account, including creating and disabling Pay Links. This matches the skill purpose but should be run only for explicit user-requested payment actions.
create-paylink) ... curl -s -X POST "$BASE/paylink/create/api-key?apiKey=$HELIO_API_KEY" ... disable) ... curl -s -X PATCH "$BASE/paylink/$paylink_id/disable?apiKey=$HELIO_API_KEY&disabled=true"
Confirm payment link name, amount, currency, wallet, and any enable/disable action before allowing the agent to run these commands.
Anyone or any local process that obtains the saved API secret could act against the merchant’s MoonPay Commerce account within that credential’s permissions.
The skill needs merchant API credentials and stores them locally for future use. This is expected for the integration and is disclosed, but those credentials authorize account operations.
Requires a MoonPay Commerce account with API key and secret... Credentials are saved to `~/.mpc/helio/config` (mode 600).
Use a dedicated, least-privilege Helio API key if available, keep the config file protected, and run `bash scripts/setup.sh clear` when the skill is no longer needed.