moneydevkit
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent payment-integration skill, but it requires trusting Moneydevkit with wallet/API secrets and optional account-management tools.
Install only if you trust Moneydevkit as a payment and wallet provider. Keep MDK_MNEMONIC and MDK_ACCESS_TOKEN in a real secrets manager, never share them in chat or commit them to git, test with non-production credentials first, and require confirmation before the agent changes or deletes payment-account data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the mnemonic or API key is exposed, an attacker may be able to access the payment account or steal wallet funds.
The skill requires both an API key and a wallet seed phrase to be placed in application or deployment secrets. This is expected for the payment/wallet purpose and is explicitly warned about, but it is high-impact credential material.
All options produce two values: - `MDK_ACCESS_TOKEN` — API key - `MDK_MNEMONIC` — wallet seed phrase ... Add both to `.env`
Use a secrets manager, never paste the mnemonic into chat or logs, start with testnet/signet credentials, use separate limited-scope apps where possible, and rotate the API key if exposed.
An unintended tool call could change products, customers, apps, or API keys in the Moneydevkit account.
The authenticated MCP tools can modify or delete payment-account objects and rotate keys. These actions fit the payment-management purpose and are disclosed, but they can materially affect a business account.
`update-app` / `rotate-api-key` — manage apps - `create-product` / `list-products` / `get-product` / `update-product` / `delete-product` - `create-customer` / `list-customers` / `get-customer` / `update-customer` / `delete-customer`
Require explicit user confirmation before update, delete, or key-rotation actions, and verify important changes in the Moneydevkit dashboard.
You are trusting the published Moneydevkit npm package and its current version at install time.
The setup flow asks the user to run an external npm package via npx. This is common for developer tooling and central to the stated purpose, but the package code is not included in the skill artifacts and no version pin is shown.
npx @moneydevkit/create
Install from a trusted environment, verify the package publisher, consider pinning versions in project dependencies, and review lockfiles or package provenance before production use.
The connected MCP server may expose account, product, customer, checkout, and order operations to the agent.
The skill can add a remote authenticated MCP server for account management. The endpoint and OAuth requirement are disclosed, and this is purpose-aligned, but it creates a provider/agent control path over payment-account data.
claude mcp add moneydevkit --transport http https://mcp.moneydevkit.com/mcp/account/
Connect only the official Moneydevkit MCP endpoint, review OAuth prompts and granted access, and disconnect or disable the MCP server when it is not needed.