Back to plugin

Security audit

AgentPay Wallet

Security checks across malware telemetry and agentic risk

Overview

The plugin matches its AgentPay wallet purpose, but it gives the agent API-key-backed tools that can move funds and change escrow or reputation records without clear in-skill confirmations or limits.

Only install this if you trust AgentPay and are comfortable giving an OpenClaw agent payment authority. Use a limited, revocable API key, verify the API URL, and require manual approval for transfers, escrow releases, deposits, and task/reputation changes.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/index.js:94
Evidence
apiUrl: process.env.AGENTPAY_API_URL ?? pcfg?.apiUrl ?? "http://localhost:3000",

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/index.ts:108
Evidence
apiUrl: process.env.AGENTPAY_API_URL ?? pcfg?.apiUrl ?? "http://localhost:3000",