LobPay

The LobPay skill facilitates automated commerce via the X402 protocol on the Base network, but it employs high-risk security practices for handling sensitive credentials. Specifically, `register.js` accepts a plaintext private key as a command-line argument and stores it, along with an API key, in an unencrypted JSON file at `~/.lobpay/config.json`. While these capabilities are plausibly needed for the stated purpose of local transaction signing, they represent significant security vulnerabilities (exposure via process monitoring and insecure local storage). The core logic in `buy.js` and `purchase.js` appears to correctly implement the X402 payment flow using the `viem` library, and no evidence of intentional data exfiltration or malicious command execution was found.