MoonPay Commerce (Helio) Accept Crypto Payments
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An unintended command could create a live payment link or disable an existing payment link.
The helper performs authenticated state-changing operations on the merchant account, including creating and disabling Pay Links. This matches the skill purpose but should be run only for explicit user-requested payment actions.
create-paylink) ... curl -s -X POST "$BASE/paylink/create/api-key?apiKey=$HELIO_API_KEY" ... disable) ... curl -s -X PATCH "$BASE/paylink/$paylink_id/disable?apiKey=$HELIO_API_KEY&disabled=true"
Confirm payment link name, amount, currency, wallet, and any enable/disable action before allowing the agent to run these commands.
Anyone or any local process that obtains the saved API secret could act against the merchant’s MoonPay Commerce account within that credential’s permissions.
The skill needs merchant API credentials and stores them locally for future use. This is expected for the integration and is disclosed, but those credentials authorize account operations.
Requires a MoonPay Commerce account with API key and secret... Credentials are saved to `~/.mpc/helio/config` (mode 600).
Use a dedicated, least-privilege Helio API key if available, keep the config file protected, and run `bash scripts/setup.sh clear` when the skill is no longer needed.