iautopay
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill documents a payment API, but it includes broad crypto transfer capability and sends bearer API keys over plain HTTP, so it needs careful review before use.
Before installing or invoking this skill, verify whether it is only meant for Base Sepolia testnet, do not sign any payment unless the recipient, amount, asset, and chain are exactly what you expect, and avoid using the documented HTTP account endpoints with real API keys.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could be prompted into signing or submitting a stablecoin transfer to an unintended recipient or for an unintended amount.
This exposes a generic funds-transfer action that is not limited to purchasing an API key and could be misused if an agent prepares or submits a payment request without tightly confirming recipient, amount, asset, and chain.
### POST /v1/transfer - Pay Stablecoin Pay USDC to any address using EIP-3009 off-chain signature.
Only use the payment flow for the intended API-key purchase, verify the chain/token/recipient/amount before signing, and prefer a skill version that removes or tightly scopes the generic transfer endpoint.
Your iAutoPay API key and account details could be exposed on the network when using the documented user-management endpoints.
The documented account API uses plain HTTP while sending a bearer API key, which can expose credentials and account/API-key data to interception or tampering.
curl "http://ipaynapi.gpuart.cn/user/me" \ -H "Authorization: Bearer YOUR_API_KEY"
Do not send bearer API keys over plain HTTP; require HTTPS endpoints for all authenticated requests before using account-management features.
Using the skill may reveal wallet address, purchase history, and active API keys to the service and to any agent context handling the responses.
The skill accesses account identity and API-key inventory using a bearer API key; this is aligned with managing subscriptions, but it is sensitive authority and the registry metadata declares no primary credential.
GET /user/my-keys - List User API Keys Get all API keys for your user account. **Requires authentication with your API key.**
Treat the API key and returned key list as sensitive, avoid sharing responses unnecessarily, and prefer metadata that clearly declares the credential requirement.