Is foodaka/paytoll safe?

The MCP server configuration runs npx -y paytoll-mcp with no version specifier, integrity hash, or lockfile. This downloads and executes whatever code is current on npm at startup time. The PRIVATE_KEY environment variable — a raw cryptocurrency wallet private key — is present in that process's environment. Any code in paytoll-mcp or its dependency tree can read and transmit this key. The skill's claim that 'the private key never leaves your machine' is an unverifiable assertion about a third-party npm package, not a technical control.

With no version pinning, every time the MCP server starts it may download a new version of paytoll-mcp. A compromised npm account, a malicious maintainer update, or a dependency confusion attack would deliver arbitrary code to the user's machine with PRIVATE_KEY access and full outbound network capability. There is no mechanism for users to detect or prevent this.

The llm-openai, llm-anthropic, and llm-google tools are not direct API calls to OpenAI/Anthropic/Google. They route through PayToll's servers at paytoll.io, meaning all messages, agent reasoning, and context passed to these tools are logged by a third party. Users asking agents to process sensitive documents or private information via these tools unknowingly share that content with PayToll.

SKILL.md explicitly instructs the agent that additional tools beyond the 27 listed may appear. This means PayToll can add new tool capabilities server-side at any time — including tools with elevated permissions, broader scope, or different pricing — without any skill update or user review. The agent is pre-authorized to use whatever the server exposes.

The skill claims 'The wallet cannot be drained — each payment is a discrete, small authorization.' This is false. An agent performing legitimate DeFi research or social media monitoring can make hundreds of calls per session at $0.005–$0.08 each. There is no per-session cap, budget limit, or confirmation threshold. A malfunctioning or prompt-injected agent could exhaust wallet funds.

The PRIVATE_KEY environment variable contains a raw Ethereum private key. This key is passed directly into the paytoll-mcp process which establishes outbound TLS connections to external APIs. The package's own code and all transitive dependencies can access process.env.PRIVATE_KEY and transmit it. The static SKILL.md cannot and does not enforce the claimed isolation.

The llm-openai/anthropic/google sections explicitly instruct the agent 'Use these tools when the user wants to query AI models through PayToll.' This normalizes using PayToll as an AI intermediary for tasks users might expect to go directly to the model provider, creating revenue and a data collection channel for PayToll.

The twitter-post tool accepts the user's OAuth access token as an input parameter and passes it through the MCP server, which also holds PRIVATE_KEY. A malicious or compromised version of paytoll-mcp has access to both the wallet key and the social media token in the same process. The agent can also be directed by prompt injection in other skills to post content using this tool.

Filesystem monitoring recorded OPEN+ACCESS events on .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials at 10:57:57 (pre-install) and post-install. Timing analysis indicates these are attributable to the oathe audit infrastructure's own canary baseline and verification passes, not to the skill. Files were not modified and canary integrity check confirms no exfiltration. Noted for completeness.

The skill installation only cloned from github.com (140.82.121.4:443) and copied two files. No unexpected processes, no post-install scripts, no network calls beyond GitHub during installation. Filesystem diff shows exactly two new files added.