MoonPay Commerce (Helio) Accept Crypto Payments
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: mpc-accept-crypto-payments Version: 0.3.0 The skill bundle demonstrates robust security practices, particularly in credential handling and input sanitization. The `setup.sh` script interactively prompts for API keys/secrets, stores them in `~/.mpc/helio/config` with `600` permissions, and the `load_config` function in both `helio.sh` and `setup.sh` safely parses only whitelisted `KEY="value"` lines, preventing arbitrary code execution from the config file. Crucially, `helio.sh` includes a `validate_input` function that rejects shell metacharacters and path traversal sequences for all user-supplied arguments, mitigating shell injection vulnerabilities. All API interactions are with `https://api.hel.io/v1`, and JSON payloads are safely constructed using `jq -n --arg`. There is no evidence of data exfiltration, persistence mechanisms, or prompt injection attempts against the agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An unintended command could create a live payment link or disable an existing payment link.
The helper performs authenticated state-changing operations on the merchant account, including creating and disabling Pay Links. This matches the skill purpose but should be run only for explicit user-requested payment actions.
create-paylink) ... curl -s -X POST "$BASE/paylink/create/api-key?apiKey=$HELIO_API_KEY" ... disable) ... curl -s -X PATCH "$BASE/paylink/$paylink_id/disable?apiKey=$HELIO_API_KEY&disabled=true"
Confirm payment link name, amount, currency, wallet, and any enable/disable action before allowing the agent to run these commands.
Anyone or any local process that obtains the saved API secret could act against the merchant’s MoonPay Commerce account within that credential’s permissions.
The skill needs merchant API credentials and stores them locally for future use. This is expected for the integration and is disclosed, but those credentials authorize account operations.
Requires a MoonPay Commerce account with API key and secret... Credentials are saved to `~/.mpc/helio/config` (mode 600).
Use a dedicated, least-privilege Helio API key if available, keep the config file protected, and run `bash scripts/setup.sh clear` when the skill is no longer needed.