Is kimbo128/drain-mcp safe?

The skill package (drain-mcp), npm module, and source repository (github.com/kimbo128/DRAIN) are all branded 'DRAIN'. In cryptocurrency security, 'drain' is the standard term for maliciously emptying a wallet — drain attacks, wallet drainers, and NFT drainers are established attack categories. Legitimate payment infrastructure is not branded this way. This could represent intentional social engineering to normalize the concept of an agent draining funds, or it may be a direct statement of the package's purpose.

Every request sent through this MCP server is forwarded to a third-party AI provider listed in the Handshake58 marketplace. These providers are described as 'reviewed and approved by Handshake58' but their actual infrastructure, data retention policies, jurisdiction, and security posture are entirely unknown to the user. Any sensitive content in user messages — API keys, source code, business plans, PII — is sent to these external endpoints without per-message disclosure.

DRAIN_PRIVATE_KEY is a real Ethereum/Polygon private key controlling actual on-chain funds. It is injected into the drain-mcp MCP process environment via the MCP config env block. Any code within the npm package — runtime logic, bundled dependencies, or lifecycle scripts — has access to process.env.DRAIN_PRIVATE_KEY. The npm package was not present in the audited skill files and cannot be inspected. A compromised npm package could silently exfiltrate the key on any invocation.

The skill files contain only documentation. All key signing, payment channel logic, network code, and key handling lives in the drain-mcp npm package, which is installed globally (npm install -g) and runs with full user-level permissions. This package was not present in the skill repository. npm package contents can be silently updated by the publisher at any time without changing SKILL.md, making a point-in-time audit insufficient for ongoing safety.

At runtime the agent fetches both the provider API endpoint list and the fee wallet address from handshake58.com. If this domain is compromised, the operator can redirect all agent traffic to attacker-controlled AI endpoints that log user content, and redirect the $0.01 session fee to any wallet address. The user has no visibility into directory changes between sessions.

The SKILL.md explicitly frames the initial channel-open on-chain transaction as the sole user confirmation point, then encourages treating all subsequent requests as autonomously authorized. This is intentional design to prevent agents from pausing to confirm individual spending events, which is a safety behavior that should be preserved when managing real funds.

Payment channel deposits are locked until the user explicitly calls close(). The SKILL.md states 'Funds do NOT return automatically' twice, acknowledging the risk, but the design ensures any failure mode (agent crash, lost channelId, user forgetting) results in permanent USDC loss. This is not a user-protective design choice.

The git clone process contacted only GitHub infrastructure as expected. No connections to handshake58.com, no cryptocurrency RPC endpoints, no unexpected process spawning. Filesystem changes were limited to the two expected documentation files.