Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- dist/index.js:94
- Evidence
apiUrl: process.env.AGENTPAY_API_URL ?? pcfg?.apiUrl ?? "http://localhost:3000",
Security audit
Security checks across malware telemetry and agentic risk
The plugin matches its AgentPay wallet purpose, but it gives the agent API-key-backed tools that can move funds and change escrow or reputation records without clear in-skill confirmations or limits.
Only install this if you trust AgentPay and are comfortable giving an OpenClaw agent payment authority. Use a limited, revocable API key, verify the API URL, and require manual approval for transfers, escrow releases, deposits, and task/reputation changes.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.env_credential_access
apiUrl: process.env.AGENTPAY_API_URL ?? pcfg?.apiUrl ?? "http://localhost:3000",
apiUrl: process.env.AGENTPAY_API_URL ?? pcfg?.apiUrl ?? "http://localhost:3000",