Back to skill

Security audit

Agent Pay Client

Security checks across malware telemetry and agentic risk

Overview

This payment client is mostly purpose-aligned, but it needs Review because its automatic payment paths include real spending authority with unsafe or under-enforced safeguards.

Review carefully before installing or using with real funds. Use inspection-only mode unless you need payments, avoid enabling L402 auto-pay until invoice amount validation and TLS verification are fixed, restrict payable URLs yourself, and install with current patched dependencies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises network-capable behavior (calling arbitrary paywalled HTTP endpoints, talking to LND REST, and interacting with x402/L402 services) while declaring no permissions/protocols. This creates a trust and review gap: hosts or users may assume the skill is inert or low-privilege when it can actually initiate outbound connections and trigger payment flows against remote services.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The safety documentation states that spending ceilings are enforced before any signing or network call, but in the L402 path the code allows automatic payment when `req.amount_sats` is absent because the check only rejects when `req.amount_sats` is truthy and greater than the ceiling. That means an unpriced or malformed invoice can still be submitted to LND for payment, undermining the documented safety model and potentially causing unintended spending.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The fetch() path will automatically settle a 402 payment and retry the original request whenever the server returns payment options and the configured credentials/ceilings permit it. In an agent context, this can cause unintended spending or payment to an attacker-controlled endpoint without any explicit per-transaction approval, especially if the URL or request parameters are influenced by untrusted input.

Known Vulnerable Dependency: requests==2.28.0 — 8 advisory(ies): CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi); CVE-2026-25645 (Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility func) +5 more

High
Category
Supply Chain
Confidence
88% confidence
Finding
requests==2.28.0

Unsafe Defaults

Medium
Category
Tool Misuse
Content
f"{config.lnd_rest_url}/v1/channels/transactions",
            headers={"Grpc-Metadata-macaroon": config.lnd_macaroon_hex},
            json={"payment_request": req.invoice},
            verify=False, timeout=30,  # LND REST commonly self-signed; caller's node, caller's risk
        )
        data = resp.json()
        if data.get("payment_error"):
Confidence
98% confidence
Finding
verify=False

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.insecure_tls_verification

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
agent_pay_client/payer.py:175