Is mavagio/mpc-accept-crypto-payments safe?

https://github.com/openclaw/skills/tree/main/skills/mavagio/mpc-accept-crypto-payments

89
SAFE

The mpc-accept-crypto-payments skill is a legitimate, security-conscious merchant integration for the Helio (MoonPay Commerce) Solana payment API. The code demonstrates solid defensive design: whitelisted config file parsing with ownership validation, input sanitization for API identifier arguments, proper Bearer token header usage for secrets, and 600-permission credential storage. The only material gap is that the paylink name argument bypasses the input sanitizer (though it is safely downstream-handled by jq --arg and poses only a terminal escape injection risk). No prompt injection, unauthorized file access, remote code download, or exfiltration behavior was detected during installation or analysis.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (5)

LOW Paylink name parameter bypasses input sanitization -10

The 'create-paylink' command's first argument (the paylink name) is not passed through the validate_input function that enforces the safe character allowlist for other arguments. While the value is safely passed to the Helio API via jq --arg (which JSON-escapes the string, preventing JSON injection), it is also interpolated directly into an echo statement without sanitization. A malicious paylink name containing terminal escape sequences could cause terminal output injection. The CHANGELOG explicitly calls out terminal output injection as a known risk category that v0.3.0 addressed, but the name argument was not included in the fix.

LOW API key exposed in URL query parameter per Helio API design -10

The Helio API mandates the public API key as a URL query parameter (?apiKey=...) on every authenticated endpoint. This means the key will appear in shell history, server access logs, curl verbose output, and any network monitoring. The API secret is correctly placed in the Authorization Bearer header. This is an upstream API design constraint, not a vulnerability introduced by the skill, but users should be aware the API key has reduced confidentiality.

INFO Financial merchant credentials required and persisted to disk -5

The skill requires HELIO_API_KEY and HELIO_API_SECRET which grant full merchant access to create pay links, generate checkout URLs, and view transaction history. These credentials are stored in ~/.mpc/helio/config with chmod 600 and validated ownership. While the handling is secure, users should understand that compromise of the config file or env vars would allow an attacker to create fraudulent payment links billable to the user's merchant account.

INFO lock.json references unrelated co-installed skill -5

The .clawhub/lock.json file bundled with the skill lists 'academic-research-hub' v0.1.0 as an installed skill with a timestamp predating this skill's own publication. This appears to be a lock file snapshot from the developer's own environment included accidentally during packaging. It is not a functional dependency declaration and poses no direct threat, but indicates the skill was not packaged from a clean environment.

INFO Canary files accessed during audit window by platform processes 0

Audit PATH records show honeypot files (.env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened at two points in the monitoring window. Cross-referencing timestamps, the first batch (1771931030.655-657) occurs before the git clone begins (1771931036.073) and the second batch (1771931046.828) occurs after install completes. These access patterns are consistent with the openclaw audit platform performing its own pre/post-install canary verification scans, not with any skill script execution. Canary integrity report confirms all files are unmodified.