Is kar69-96/agentpay safe?

https://github.com/openclaw/skills/tree/main/skills/kar69-96/agentpay

73
CAUTION

AgentPay's SKILL.md is free of prompt injection, hidden instructions, and direct exfiltration vectors, and the clone phase was entirely clean. However, the skill's security posture is critically dependent on an unaudited third-party npm package (agentpay by kar69-96) that stores and injects live payment credentials — a package whose source code was unavailable for review. The workflow documentation also references Browserbase cloud infrastructure for headless checkout, directly contradicting the skill's 'local-first, nothing leaves the machine' security claim, and the built-in MCP HTTP server creates a persistent financial API accessible to any co-installed skill.

Category Scores

Prompt Injection 87/100 · 30%
Data Exfiltration 58/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 85/100 · 10%
Behavioral Reasoning 48/100 · 5%

Findings (9)

CRITICAL Unaudited npm package handles live payment credentials -45

The entire security model of this skill is delegated to the agentpay npm package (package: 'agentpay', version 0.2.0, author kar69-96). No package.json, source code, or install scripts were available for audit. This package stores the user's credit card number in an encrypted vault, injects it into live browser sessions, and executes real financial transactions. A malicious or compromised version of this package has unrestricted access to payment credentials and the ability to exfiltrate them, make unauthorized purchases, or persist malware on the host.

HIGH Browserbase cloud browser contradicts 'local-first' security claim -25

workflow.md identifies 'Stagehand/Browserbase' as the headless browser engine. Browserbase is a cloud-hosted browser execution service — not a local process. If Browserbase is used at checkout, payment credentials injected into the browser DOM transit Browserbase's cloud infrastructure, directly contradicting SKILL.md's explicit claim that 'no servers, no cloud, nothing leaves the machine.' A user installing this skill under the assumption of local-only credential handling would be misled.

HIGH MCP HTTP server exposes financial operations to all local agents -20

The skill provides 'npx agentpay mcp --http' which starts an HTTP server on the host machine. Once running, any agent or process on the machine — including other installed skills — can invoke purchase proposals, approvals, and checkout without direct user interaction. This creates a persistent, locally-accessible financial API that survives across agent sessions.

HIGH Autonomous purchase scope enables open-ended financial commitments -35

The 'Ideas to Try' section normalizes agent behaviors like 'Find the cheapest flight to Madrid and book it for me' and 'Subscribe me to that newsletter we were looking at.' These are open-ended instructions with no price ceiling specified at proposal time. An agent following these examples may submit purchase mandates for amounts the user did not intend, and subscription enrollment creates recurring financial obligations. The approval step provides one gate, but agents primed by these examples may present mandates framed to minimize apparent risk.

MEDIUM Merchant page JavaScript can influence credential injection timing -12

During headless checkout, the browser executes JavaScript from arbitrary merchant pages. A malicious merchant (or a merchant whose page has been XSS-compromised) can attempt to read payment credentials from the DOM during the injection window. SKILL.md acknowledges: 'The raw card number exists in the browser DOM only during form submission.' This is not zero-duration and is exploitable by page scripts with timing attacks.

MEDIUM Multi-skill chaining risk via MCP server and co-installed skills -17

The .clawhub/lock.json file inside the skill package shows 'academic-research-hub' co-installed in the same environment. The agentpay MCP server, if running, is callable by any agent or skill in the same session. A malicious companion skill could invoke agentpay's MCP tools to propose and potentially execute purchases framed as legitimate research-related expenses, exploiting the approved vault without direct user re-authorization.

LOW MCP server subtly expands agent capability scope beyond stated skill purpose -8

The skill describes itself as a checkout helper, but the MCP server mode transforms it into a persistent financial API daemon. Once the MCP server is running, the agent's tool palette permanently includes purchase operations, even when the user's intent is unrelated to shopping. This scope expansion is not clearly communicated in the skill description.

INFO Clone phase was clean — no skill code executed 0

The install operation cloned only SKILL.md and reference markdown files via git sparse-checkout. No npm install was performed, no postinstall scripts ran, and no agentpay-specific processes were spawned. All observed network connections (GitHub, Ubuntu update servers) and file accesses (canary files at audit-harness-correlated timestamps) are attributable to the audit infrastructure.

INFO Canary file accesses attributable to audit harness, not skill 0

Accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json occurred at pre-install (1771913461.561) and post-install canary-check (1771913486.976) timestamps matching audit harness lifecycle events. Mid-install accesses to .env (1771913469.296, 1771913476.125) correlate with openclaw-executor git and environment operations. No npm install was run, making skill-sourced access impossible. Canary integrity check confirmed all files intact.