Back to skill
Skillv1.0.0
ClawScan security
AgentPay MCP · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 13, 2026, 8:27 AM
- Verdict
- Review
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's purpose (making on‑chain payments) aligns with the credentials it requests, but the package provides no code for review and asks you to store a highly sensitive private key in agent configs and environment variables — a combination that deserves caution before installation.
- Guidance
- This skill gives an agent the ability to sign and send real cryptocurrency transactions. Before installing: (1) Do not provision your main wallet private key. Prefer a dedicated signing key or a constrained account funded only with a small test balance. (2) Require and verify human approval flows in your agent runtime for any payment above a tiny threshold. (3) Inspect the npm package and GitHub repository the SKILL.md references (pin a specific release/tag and review code) before running npm install -g. (4) Avoid storing private keys in plaintext config files; consider hardware signers or remote signing services that limit scope. (5) If you decide to proceed, set conservative MAX_TX_USDC and MAX_DAILY_USDC env values, run the package in an isolated environment, and audit logs for unexpected activity. Because this skill bundle contains no code to review, you cannot verify what the installed package will do — that uncertainty is the main reason this is flagged as suspicious.
Review Dimensions
- Purpose & Capability
- noteThe skill is a payment/MCP server and therefore legitimately needs a signing key (AGENT_PRIVATE_KEY), an RPC endpoint (RPC_URL), and a Node runtime; those requirements are consistent with the stated functionality. Minor inconsistency: the skill is instruction-only in the registry (no code supplied or install spec), yet the SKILL.md instructs users to npm install -g agentpay-mcp and to modify MCP config files.
- Instruction Scope
- concernSKILL.md instructs storing the agent private key and RPC URL in MCP config or environment variables and adding a global npm binary to MCP server config (~/.config/claude/mcp.json). That places long‑lived signing material in a file/env accessible to the agent runtime and any processes that read that config. Because the skill describes autonomous payments, those instructions expand the agent's ability to create and sign transactions without additional checks unless external approvals are enforced.
- Install Mechanism
- concernThe skill includes an npm install command and a GitHub URL in SKILL.md but provides no install spec or packaged code in the registry for review. There is no pinned release, checksum, or provenance provided in the skill bundle, so the actual code that would be installed cannot be audited from this skill entry alone.
- Credentials
- concernRequesting AGENT_PRIVATE_KEY and RPC_URL is proportionate for a payment tool, but AGENT_PRIVATE_KEY is extremely sensitive. The SKILL.md also recommends placing the key in MCP config or env vars — practices that increase exposure. No secondary mitigations (hardware signer, read-only/subkeys, or explicit human-approval gating) are mandated by the instructions.
- Persistence & Privilege
- noteThe skill does not request always: true and does not claim to modify other skills, which is good. However, agent runtimes typically allow autonomous invocation by default; combined with the ability to sign transactions using a provided private key, autonomous invocation materially increases risk unless the agent runtime enforces explicit human approvals or very strict spend limits.