中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 8/100
Last scan:1 day ago Rescan
8 /100
asgcard
Virtual MasterCards for AI agents — crypto payments via x402 protocol on Stellar blockchain
ASG Card is a legitimate virtual MasterCard payment infrastructure skill for AI agents built on x402/Stellar. All pre-scan IOCs are benign false positives in a genuine payment product.
Skill Nameasgcard
Duration95.5s
Enginepi
Safe to install
Approve for use. No malicious behavior detected. The skill correctly handles cryptographic credentials, on-chain payments, and card data per its documented purpose.

Findings 4 items

Severity Finding Location
Low
CLI filesystem WRITE not declared in SKILL.md Doc Mismatch
The CLI writes ~/.asgcard/config.json for wallet key persistence. SKILL.md declares only env ASG_CARD_WALLET_SECRET but not the config file write. This is necessary functionality but not documented.
writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2), { mode: 0o600 });
→ Add to SKILL.md metadata under 'requires': 'bins: ["node"]' and document ~/.asgcard/config.json as the credential store location.
 cli/src/index.ts:53
Low
External service credentials in HTTP requests Sensitive Access
FACILITATOR_API_KEY and FOURPAYMENTS_API_TOKEN are sent to external services (facilitator and 4payments.io) via Bearer auth. This is necessary for the payment flow but worth noting.
Authorization: `Bearer ${this.apiKey}`
→ This is standard for payment infrastructure. Ensure FACILITATOR_URL is a trusted endpoint.
 api/src/services/facilitatorClient.ts:79
Info
False positive: pre-scan base64_cmd IOCs are benign Doc Mismatch
The pre-scan flagged Buffer.from(..., 'base64') as CRITICAL obfuscation at 5 locations. All instances are legitimate: decoding CARD_DETAILS_KEY (32-byte AES key), decoding Stellar wallet signatures, and parsing x402 payment headers. No eval() or shell execution from base64.
Buffer.from(env.CARD_DETAILS_KEY, "base64")
→ No action needed. Pre-scan heuristic produced false positives for standard cryptographic base64 decoding.
 api/src/config/env.ts:99
Info
False positive: pre-scan hardcoded IP is SVG path data Doc Mismatch
Pre-scan flagged '5.92.42.36' at web/src/main.ts:175 as a hardcoded IP. This is actually part of the GitHub SVG logo path data (d attribute), not an IP address. False positive.
<path d="M12 .297c-6.63 0-12 5.373..."
→ No action needed.
 web/src/main.ts:175
ResourceDeclaredInferredStatusEvidence
Shell NONE NONE No shell execution found in codebase
Filesystem NONE WRITE ✓ Aligned cli/src/index.ts:53 — config.json written to ~/.asgcard/
Network READ READ ✓ Aligned External calls to Stellar Horizon, facilitator, 4payments.io — all documented vi…
Environment READ READ ✓ Aligned ASG_CARD_WALLET_SECRET, FOURPAYMENTS_API_KEY — all used for payment operations o…
Skill Invoke NONE NONE No skill self-invocation or recursion found
Clipboard NONE NONE web/src/main.ts: copy button uses Clipboard API — documented UI feature
Browser NONE NONE Static web frontend only; no headless browser automation
Database NONE WRITE ✓ Aligned Internal PostgreSQL/in-memory DB for card state — server-side, not exposed to ag…
5 Critical 1 High 101 findings
🔒
Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(env.CARD_DETAILS_KEY, "base64"
api/src/config/env.ts:99
🔒
Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(signatureStr, "base64"
api/src/middleware/walletAuth.ts:27
🔒
Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(headerValue, "base64"
api/src/middleware/x402.ts:90
🔒
Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(base64Key, "base64"
api/src/utils/crypto.ts:23
🔒
Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(header, "base64"
api/src/utils/payment.ts:29
📡
High IP Address 硬编码 IP 地址
5.92.42.36
web/src/main.ts:175
🔗
Medium External URL 外部 URL
https://asgcard.dev/docs
CONTRIBUTING.md:8
🔗
Medium External URL 外部 URL
https://www.conventionalcommits.org/
CONTRIBUTING.md:46
🔗
Medium External URL 外部 URL
https://www.contributor-covenant.org/version/2/1/code_of_conduct/
CONTRIBUTING.md:70
🔗
Medium External URL 外部 URL
https://img.shields.io/npm/v/@asgcard/sdk?label=sdk
README.md:3
🔗
Medium External URL 外部 URL
https://img.shields.io/npm/v/@asgcard/cli?label=cli
README.md:4
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/License-MIT-green.svg
README.md:5
🔗
Medium External URL 外部 URL
https://api.asgcard.dev/health
README.md:6
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/API-live-brightgreen
README.md:6
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/Docs-asgcard.dev-blue
README.md:7
🔗
Medium External URL 外部 URL
https://asgcard.dev
README.md:13
🔗
Medium External URL 外部 URL
https://x.com/asgcardx402
README.md:14
🔗
Medium External URL 外部 URL
https://claude.ai/code
README.md:33
🔗
Medium External URL 外部 URL
https://cursor.com
README.md:34
🔗
Medium External URL 外部 URL
https://openclaw.ai
README.md:35
🔗
Medium External URL 外部 URL
https://modelcontextprotocol.io
README.md:36
🔗
Medium External URL 外部 URL
https://stellar.org
README.md:43
🔗
Medium External URL 外部 URL
https://www.circle.com/usdc
README.md:44
🔗
Medium External URL 外部 URL
https://www.mastercard.com
README.md:45
🔗
Medium External URL 外部 URL
https://youtu.be/zEq3HGhwrY8
README.md:59
🔗
Medium External URL 外部 URL
https://api.asgcard.dev/pricing
README.md:113
🔗
Medium External URL 外部 URL
https://mainnet.sorobanrpc.com
README.md:137
🔗
Medium External URL 外部 URL
https://www.x402.org/
TECHNICAL_OVERVIEW.md:5
🔗
Medium External URL 外部 URL
https://api.asgcard.dev
TECHNICAL_OVERVIEW.md:30
🔗
Medium External URL 外部 URL
https://asgcard.dev/openapi.json
TECHNICAL_OVERVIEW.md:31
🔗
Medium External URL 外部 URL
https://horizon.stellar.org/accounts/$
api/scripts/e2e-mainnet.js:157
🔗
Medium External URL 外部 URL
https://horizon.stellar.org
api/scripts/preflight.js:26
🔗
Medium External URL 外部 URL
https://docs.asgcard.dev
api/src/modules/admin/webhook.ts:161
🔗
Medium External URL 外部 URL
https://api.asgcard.dev$
api/src/modules/bot/commands/fund.ts:142
🔗
Medium External URL 外部 URL
https://docs.asgcard.dev/api/fund
api/src/modules/bot/commands/fund.ts:156
🔗
Medium External URL 外部 URL
https://api.telegram.org/bot$
api/src/modules/bot/telegramClient.ts:82
🔗
Medium External URL 外部 URL
https://asgcard.dev/portal
api/src/modules/bot/templates.ts:28
🔗
Medium External URL 外部 URL
https://asgcard.dev/docs#pricing
api/src/modules/bot/templates.ts:199
🔗
Medium External URL 外部 URL
https://business.4payments.io
api/src/services/fourPaymentsClient.ts:5
🔗
Medium External URL 外部 URL
https://docs.4payments.io/
api/src/services/fourPaymentsClient.ts:8
🔗
Medium External URL 外部 URL
https://custom-api.example.com
cli/README.md:85
🔗
Medium External URL 外部 URL
https://custom-rpc.example.com
cli/README.md:88
🔗
Medium External URL 外部 URL
https://www.patreon.com/feross
cli/package-lock.json:642
🔗
Medium External URL 外部 URL
https://feross.org/support
cli/package-lock.json:646
🔗
Medium External URL 外部 URL
https://api.asgcard.dev/cards/create/tier/25
docs/adr/ADR-002-x402-verify-settle-stellar.md:29
🔗
Medium External URL 外部 URL
https://developers.stellar.org/docs/build/apps/x402
docs/adr/ADR-002-x402-verify-settle-stellar.md:117
🔗
Medium External URL 外部 URL
https://developers.stellar.org/docs/tools/openzeppelin-relayer
docs/adr/ADR-002-x402-verify-settle-stellar.md:118
🔗
Medium External URL 外部 URL
https://developers.stellar.org/docs/build/guides/smart-wallets
docs/adr/ADR-003-smart-wallet-fit.md:105
🔗
Medium External URL 外部 URL
https://stellar.org/roadmap
docs/adr/ADR-003-smart-wallet-fit.md:107
🔗
Medium External URL 外部 URL
https://opencollective.com/express
mcp-server/package-lock.json:775
🔗
Medium External URL 外部 URL
https://opencollective.com/fastify
mcp-server/package-lock.json:1223
🔗
Medium External URL 外部 URL
https://paulmillr.com/funding/
package-lock.json:606
🔗
Medium External URL 外部 URL
https://opencollective.com/vitest
package-lock.json:1599
🔗
Medium External URL 外部 URL
https://opencollective.com/postcss/
package-lock.json:1758
🔗
Medium External URL 外部 URL
https://tidelift.com/funding/github/npm/autoprefixer
package-lock.json:1762
🔗
Medium External URL 外部 URL
https://opencollective.com/browserslist
package-lock.json:1982
🔗
Medium External URL 外部 URL
https://tidelift.com/funding/github/npm/browserslist
package-lock.json:1986
🔗
Medium External URL 外部 URL
https://tidelift.com/funding/github/npm/caniuse-lite
package-lock.json:2133
💰
Medium Wallet Address 加密货币钱包地址
18wF2bbjgc3ZzCSKW1T5nt5EbFoAz
package-lock.json:2296
🔗
Medium External URL 外部 URL
https://dotenvx.com
package-lock.json:2406
🔗
Medium External URL 外部 URL
https://ko-fi.com/tunnckoCore/commissions
package-lock.json:2840
💰
Medium Wallet Address 加密货币钱包地址
347pnakNevPmiHhNmZ2HbFA76w
package-lock.json:3415
🔗
Medium External URL 外部 URL
https://opencollective.com/debug
package-lock.json:3527
🔗
Medium External URL 外部 URL
https://tidelift.com/funding/github/npm/postcss
package-lock.json:3732
🔗
Medium External URL 外部 URL
https://paypal.me/kozjak
package-lock.json:4146
🔗
Medium External URL 外部 URL
https://developers.stellar.org/docs/build/guides/transactions/signing-soroban-invocations#method-2-auth-entry-signing
sdk/src/utils/x402.ts:121
🔗
Medium External URL 外部 URL
https://asgcard.dev/og-docs.png
web/docs/index.html:19
🔗
Medium External URL 外部 URL
https://asgcard.dev/docs.md
web/docs/index.html:31
🔗
Medium External URL 外部 URL
https://schema.org
web/docs/index.html:37
🔗
Medium External URL 外部 URL
https://asgcard.dev/#organization
web/docs/index.html:41
🔗
Medium External URL 外部 URL
https://asgcard.dev/
web/docs/index.html:43
🔗
Medium External URL 外部 URL
https://asgcard.dev/logo-mark.svg
web/docs/index.html:44
🔗
Medium External URL 外部 URL
https://asgcard.dev/docs#webpage
web/docs/index.html:48
🔗
Medium External URL 外部 URL
https://asgcard.dev/#website
web/docs/index.html:53
🔗
Medium External URL 外部 URL
https://asgcard.dev/docs#article
web/docs/index.html:70
🔗
Medium External URL 外部 URL
https://asgcard.dev/og-card-onchain-v1.png
web/index.html:19
🔗
Medium External URL 外部 URL
https://asgcard.dev/#webpage
web/index.html:59
🔗
Medium External URL 外部 URL
https://asgcard.dev/#app
web/index.html:72
🔗
Medium External URL 外部 URL
https://asgcard.dev/.well-known/agent.txt
web/public/agent.txt:2
🔗
Medium External URL 外部 URL
https://asgcard.dev/agent.txt
web/public/docs.md:17
🔗
Medium External URL 外部 URL
https://www.npmjs.com/package/@asgcard/sdk
web/public/llms.txt:22
🔗
Medium External URL 外部 URL
https://www.npmjs.com/package/@asgcard/mcp-server
web/public/llms.txt:23
🔗
Medium External URL 外部 URL
https://www.npmjs.com/package/@asgcard/cli
web/public/llms.txt:24
🔗
Medium External URL 外部 URL
https://x.com/ASGCardx402
web/public/llms.txt:36
🔗
Medium External URL 外部 URL
https://t.me/ASGCardbot
web/public/llms.txt:37
🔗
Medium External URL 外部 URL
http://www.w3.org/2000/svg
web/public/og-builder.html:400
🔗
Medium External URL 外部 URL
https://asgcard.dev/docs.
web/public/openapi.json:201
🔗
Medium External URL 外部 URL
https://asgcard.dev/sitemap.xml
web/public/robots.txt:4
🔗
Medium External URL 外部 URL
http://www.sitemaps.org/schemas/sitemap/0.9
web/public/sitemap.xml:2
🔗
Medium External URL 外部 URL
https://asgcard.dev/blog/001-why-ai-agents-need-payment-cards
web/public/sitemap.xml:34
🔗
Medium External URL 外部 URL
https://asgcard.dev/blog/002-x402-protocol-ai-agents-pay-onchain
web/public/sitemap.xml:40
🔗
Medium External URL 外部 URL
https://asgcard.dev/blog/003-asgcard-mcp-server-ai-financial-autonomy
web/public/sitemap.xml:46
🔗
Medium External URL 外部 URL
https://api.asgcard.dev/cards/create/tier/10
web/src/docs.ts:633
🔗
Medium External URL 外部 URL
https://api.asgcard.dev/cards
web/src/docs.ts:723
🔗
Medium External URL 外部 URL
https://api.asgcard.dev/cards/
web/src/docs.ts:1157
📧
Info Email 邮箱地址
[email protected]
PUBLIC_REPO_MANIFEST.md:44
📧
Info Email 邮箱地址
[email protected]
api/scripts/e2e-mainnet.js:103
📧
Info Email 邮箱地址
[email protected]
api/scripts/e2e-mainnet.js:146
📧
Info Email 邮箱地址
[email protected]
api/src/modules/bot/commands/fund.ts:49
📧
Info Email 邮箱地址
[email protected]
api/src/modules/bot/templates.ts:212
📧
Info Email 邮箱地址
[email protected]
cli/README.md:63

File Tree

156 files · 1.0 MB · 30762 lines
TypeScript 90f · 14491L JSON 18f · 11024L CSS 2f · 2230L Markdown 13f · 1259L HTML 4f · 832L JavaScript 4f · 444L SQL 9f · 311L Text 3f · 120L XML 1f · 51L
├─ 📁 api
│ ├─ 📁 __tests__
│ │ ├─ 📜 persistence.test.ts TypeScript 288L · 11.0 KB
│ │ ├─ 📜 setup.ts TypeScript 4L · 108 B
│ │ ├─ 📜 webhook-and-verify.test.ts TypeScript 164L · 5.7 KB
│ │ └─ 📜 x402-challenge.test.ts TypeScript 179L · 6.4 KB
│ ├─ 📁 scripts
│ │ ├─ 📜 e2e-mainnet.js JavaScript 189L · 8.8 KB
│ │ └─ 📜 preflight.js JavaScript 210L · 9.2 KB
│ ├─ 📁 src
│ │ ├─ 📁 config
│ │ │ ├─ 📜 env.ts TypeScript 130L · 5.6 KB
│ │ │ └─ 📜 pricing.ts TypeScript 113L · 2.4 KB
│ │ ├─ 📁 db
│ │ │ ├─ 📁 migrations
│ │ │ │ ├─ 📄 001_create_tables.sql SQL 76L · 3.1 KB
│ │ │ │ ├─ 📄 002_api_metrics.sql SQL 16L · 643 B
│ │ │ │ ├─ 📄 003_bot_tables.sql SQL 85L · 3.8 KB
│ │ │ │ ├─ 📄 004_agent_access.sql SQL 20L · 978 B
│ │ │ │ ├─ 📄 005_nonce_retention.sql SQL 35L · 1.2 KB
│ │ │ │ ├─ 🔑 006_card_reveal_tokens.sql SQL 39L · 1.9 KB
│ │ │ │ ├─ 📄 007_api_activity.sql SQL 28L · 1.1 KB
│ │ │ │ ├─ 📄 008_last_four.sql SQL 7L · 283 B
│ │ │ │ └─ 📄 009_profile_fields.sql SQL 5L · 193 B
│ │ │ └─ 📜 db.ts TypeScript 65L · 1.7 KB
│ │ ├─ 📁 middleware
│ │ │ ├─ 📜 agentDetailsMiddleware.ts TypeScript 79L · 2.6 KB
│ │ │ ├─ 📜 walletAuth.ts TypeScript 97L · 3.1 KB
│ │ │ └─ 📜 x402.ts TypeScript 217L · 6.9 KB
│ │ ├─ 📁 modules
│ │ │ ├─ 📁 admin
│ │ │ │ ├─ 📜 adminBot.ts TypeScript 223L · 8.4 KB
│ │ │ │ ├─ 📜 index.ts TypeScript 10L · 253 B
│ │ │ │ ├─ 📜 statusCollector.ts TypeScript 337L · 11.0 KB
│ │ │ │ └─ 📜 webhook.ts TypeScript 225L · 8.2 KB
│ │ │ ├─ 📁 authz
│ │ │ │ ├─ 📜 auditService.ts TypeScript 84L · 2.9 KB
│ │ │ │ ├─ 📜 index.ts TypeScript 9L · 239 B
│ │ │ │ └─ 📜 ownerPolicy.ts TypeScript 82L · 2.3 KB
│ │ │ ├─ 📁 bot
│ │ │ │ ├─ 📁 commands
│ │ │ │ │ ├─ 📜 faq.ts TypeScript 22L · 529 B
│ │ │ │ │ ├─ 📜 fund.ts TypeScript 222L · 7.7 KB
│ │ │ │ │ ├─ 📜 myCards.ts TypeScript 416L · 13.4 KB
│ │ │ │ │ ├─ 📜 profile.ts TypeScript 191L · 6.3 KB
│ │ │ │ │ ├─ 📜 start.ts TypeScript 68L · 2.0 KB
│ │ │ │ │ └─ 📜 support.ts TypeScript 22L · 548 B
│ │ │ │ ├─ 📁 services
│ │ │ │ │ ├─ 📜 alertService.ts TypeScript 207L · 7.1 KB
│ │ │ │ │ ├─ 📜 metricsService.ts TypeScript 181L · 6.2 KB
│ │ │ │ │ └─ 📜 statementService.ts TypeScript 186L · 6.1 KB
│ │ │ │ ├─ 📜 index.ts TypeScript 11L · 333 B
│ │ │ │ ├─ 📜 keyboards.ts TypeScript 73L · 2.4 KB
│ │ │ │ ├─ 📜 telegramClient.ts TypeScript 174L · 5.2 KB
│ │ │ │ ├─ 📜 templates.ts TypeScript 215L · 8.0 KB
│ │ │ │ └─ 📜 webhook.ts TypeScript 362L · 13.1 KB
│ │ │ ├─ 📁 notify
│ │ │ │ ├─ 📜 eventRouter.ts TypeScript 55L · 1.7 KB
│ │ │ │ ├─ 📜 index.ts TypeScript 9L · 241 B
│ │ │ │ └─ 📜 notifyService.ts TypeScript 184L · 5.8 KB
│ │ │ └─ 📁 portal
│ │ │ ├─ 📜 agentAccess.ts TypeScript 58L · 1.8 KB
│ │ │ ├─ 📜 index.ts TypeScript 10L · 301 B
│ │ │ ├─ 📜 linkService.ts TypeScript 220L · 7.1 KB
│ │ │ └─ 📜 routes.ts TypeScript 95L · 2.7 KB
│ │ ├─ 📁 repositories
│ │ │ ├─ 📜 inMemoryCardRepo.ts TypeScript 88L · 3.0 KB
│ │ │ ├─ 📜 inMemoryPaymentRepo.ts TypeScript 47L · 1.6 KB
│ │ │ ├─ 📜 pgCardRepo.ts TypeScript 220L · 8.4 KB
│ │ │ ├─ 📜 pgPaymentRepo.ts TypeScript 125L · 4.2 KB
│ │ │ ├─ 📜 pgWebhookEventRepo.ts TypeScript 76L · 2.7 KB
│ │ │ ├─ 📜 runtime.ts TypeScript 78L · 2.8 KB
│ │ │ └─ 📜 types.ts TypeScript 73L · 2.6 KB
│ │ ├─ 📁 routes
│ │ │ ├─ 📜 ops.ts TypeScript 298L · 11.5 KB
│ │ │ ├─ 📜 paid.ts TypeScript 100L · 2.9 KB
│ │ │ ├─ 📜 public.ts TypeScript 94L · 2.4 KB
│ │ │ ├─ 📜 wallet.ts TypeScript 103L · 2.7 KB
│ │ │ └─ 📜 webhook.ts TypeScript 134L · 4.8 KB
│ │ ├─ 📁 services
│ │ │ ├─ 📜 cardService.ts TypeScript 394L · 12.0 KB
│ │ │ ├─ 📜 facilitatorClient.ts TypeScript 202L · 6.7 KB
│ │ │ ├─ 📜 fourPaymentsClient.ts TypeScript 327L · 9.0 KB
│ │ │ ├─ 📜 metrics.ts TypeScript 79L · 2.5 KB
│ │ │ └─ 📜 paymentService.ts TypeScript 117L · 4.6 KB
│ │ ├─ 📁 types
│ │ │ ├─ 📜 domain.ts TypeScript 49L · 962 B
│ │ │ ├─ 📜 express.d.ts TypeScript 12L · 233 B
│ │ │ ├─ 📜 http-context.ts TypeScript 14L · 266 B
│ │ │ └─ 📜 x402.ts TypeScript 77L · 2.5 KB
│ │ ├─ 📁 utils
│ │ │ ├─ 📜 crypto.ts TypeScript 85L · 2.5 KB
│ │ │ ├─ 📜 html.ts TypeScript 19L · 485 B
│ │ │ ├─ 📜 logger.ts TypeScript 84L · 2.3 KB
│ │ │ └─ 📜 payment.ts TypeScript 35L · 707 B
│ │ ├─ 📜 app.ts TypeScript 55L · 2.0 KB
│ │ ├─ 📜 index.ts TypeScript 12L · 310 B
│ │ └─ 📜 vercel.ts TypeScript 5L · 82 B
│ ├─ 📋 package.json JSON 39L · 1.0 KB
│ ├─ 📋 tsconfig.json JSON 23L · 468 B
│ ├─ 📋 vercel.json JSON 15L · 191 B
│ └─ 📜 vitest.config.ts TypeScript 11L · 279 B
├─ 📁 cli
│ ├─ 📁 src
│ │ ├─ 📜 index.ts TypeScript 438L · 15.6 KB
│ │ └─ 📜 wallet-client.ts TypeScript 154L · 4.5 KB
│ ├─ 📋 package-lock.json JSON 1640L · 53.5 KB
│ ├─ 📋 package.json JSON 52L · 1.1 KB
│ ├─ 📝 README.md Markdown 101L · 2.2 KB
│ └─ 📋 tsconfig.json JSON 19L · 445 B
├─ 📁 docs
│ └─ 📁 adr
│ ├─ 📝 ADR-001-service-boundaries.md Markdown 71L · 4.1 KB
│ ├─ 📝 ADR-002-x402-verify-settle-stellar.md Markdown 118L · 4.7 KB
│ └─ 📝 ADR-003-smart-wallet-fit.md Markdown 108L · 5.4 KB
├─ 📁 mcp-server
│ ├─ 📁 src
│ │ ├─ 📜 index.ts TypeScript 39L · 1.1 KB
│ │ ├─ 📜 server.ts TypeScript 349L · 10.3 KB
│ │ └─ 📜 wallet-client.ts TypeScript 154L · 4.5 KB
│ ├─ 📋 package-lock.json JSON 2340L · 77.9 KB
│ ├─ 📋 package.json JSON 55L · 1.2 KB
│ ├─ 📝 README.md Markdown 93L · 2.5 KB
│ └─ 📋 tsconfig.json JSON 20L · 473 B
├─ 📁 sdk
│ ├─ 📁 src
│ │ ├─ 📁 errors
│ │ │ └─ 📜 index.ts TypeScript 38L · 843 B
│ │ ├─ 📁 types
│ │ │ └─ 📜 index.ts TypeScript 154L · 3.9 KB
│ │ ├─ 📁 utils
│ │ │ └─ 📜 x402.ts TypeScript 311L · 9.8 KB
│ │ ├─ 📜 client.ts TypeScript 166L · 4.6 KB
│ │ └─ 📜 index.ts TypeScript 34L · 577 B
│ ├─ 📋 package.json JSON 43L · 923 B
│ ├─ 📝 README.md Markdown 112L · 2.5 KB
│ └─ 📋 tsconfig.json JSON 10L · 147 B
├─ 📁 web
│ ├─ 📁 docs
│ │ └─ 📄 index.html HTML 114L · 4.3 KB
│ ├─ 📁 public
│ │ ├─ 📄 404.html HTML 170L · 4.5 KB
│ │ ├─ 📄 agent.txt Text 78L · 1.7 KB
│ │ ├─ 📦 algorand-logo.svg 440 B
│ │ ├─ 📦 arbitrum-logo.svg 1.9 KB
│ │ ├─ 📦 coinbase-logo.svg 775 B
│ │ ├─ 📝 docs.md Markdown 212L · 5.1 KB
│ │ ├─ 📄 llms.txt Text 37L · 892 B
│ │ ├─ 📦 logo-lockup-light.svg 472 B
│ │ ├─ 📦 logo-lockup.svg 448 B
│ │ ├─ 📦 logo-mark-dark.svg 237 B
│ │ ├─ 📦 logo-mark-light.svg 237 B
│ │ ├─ 📦 logo-mark.svg 237 B
│ │ ├─ 📦 logo-wordmark.svg 246 B
│ │ ├─ 📄 og-builder.html HTML 439L · 13.7 KB
│ │ ├─ 📋 openapi.json JSON 887L · 22.8 KB
│ │ ├─ 📦 payai-logo.svg 4.6 KB
│ │ ├─ 📄 robots.txt Text 5L · 66 B
│ │ ├─ 📄 sitemap.xml XML 51L · 1.5 KB
│ │ ├─ 📦 stellar-logo-lockup.svg 3.2 KB
│ │ └─ 📦 stellar-logo-mark.svg 3.2 KB
│ ├─ 📁 src
│ │ ├─ 📁 algorand
│ │ │ └─ 📜 proposal.ts TypeScript 169L · 9.6 KB
│ │ ├─ 📁 arbitrum
│ │ │ └─ 📜 proposal.ts TypeScript 170L · 9.6 KB
│ │ ├─ 📁 coinbase
│ │ │ └─ 📜 proposal.ts TypeScript 169L · 9.8 KB
│ │ ├─ 📁 cypher
│ │ │ └─ 📜 proposal.ts TypeScript 151L · 9.0 KB
│ │ ├─ 📁 lib
│ │ │ └─ 📜 pricing.ts TypeScript 184L · 4.7 KB
│ │ ├─ 📁 paypal
│ │ │ └─ 📜 proposal.ts TypeScript 158L · 9.5 KB
│ │ ├─ 📁 portal
│ │ │ └─ 📜 portal.ts TypeScript 420L · 15.2 KB
│ │ ├─ 📁 wirex
│ │ │ └─ 📜 proposal.ts TypeScript 151L · 9.0 KB
│ │ ├─ 📄 docs.css CSS 777L · 16.0 KB
│ │ ├─ 📜 docs.ts TypeScript 1547L · 72.2 KB
│ │ ├─ 📜 main.ts TypeScript 1039L · 45.4 KB
│ │ ├─ 📜 proposal.ts TypeScript 171L · 9.7 KB
│ │ ├─ 📄 style.css CSS 1453L · 39.4 KB
│ │ └─ 📜 vite-env.d.ts TypeScript 1L · 38 B
│ ├─ 📄 index.html HTML 109L · 4.4 KB
│ ├─ 📋 package.json JSON 19L · 466 B
│ ├─ 📜 postcss.config.js JavaScript 6L · 92 B
│ ├─ 📜 tailwind.config.js JavaScript 39L · 1.0 KB
│ ├─ 📋 tsconfig.json JSON 26L · 654 B
│ ├─ 📋 vercel.json JSON 13L · 238 B
│ └─ 📜 vite.config.ts TypeScript 24L · 584 B
├─ 📝 CONTRIBUTING.md Markdown 74L · 2.1 KB
├─ 📋 package-lock.json JSON 5791L · 193.4 KB
├─ 📋 package.json JSON 18L · 378 B
├─ 📝 PUBLIC_REPO_MANIFEST.md Markdown 44L · 1.8 KB
├─ 📝 README.md Markdown 178L · 6.5 KB
├─ 📝 SECURITY.md Markdown 53L · 1.1 KB
├─ 📝 SKILL.md Markdown 61L · 2.0 KB
├─ 📝 TECHNICAL_OVERVIEW.md Markdown 34L · 1.2 KB
└─ 📋 tsconfig.base.json JSON 14L · 312 B

Dependencies 7 items

PackageVersionSourceKnown VulnsNotes
@stellar/stellar-sdk ^14.5.0 (api), ^13.1.0 (sdk/mcp/cli) npm No Reputable, widely-used Stellar SDK; ^ allows minor/patch updates
@modelcontextprotocol/sdk ^1.12.1 npm No Official MCP SDK from Anthropic
express ^4.21.2 npm No Latest stable, no known vulnerabilities
tweetnacl ^1.0.3 npm No NACL box cryptography — reputable
zod ^4.1.5 (api), ^3.24.4 (mcp) npm No Schema validation library
commander ^13.1.0 npm No CLI framework — reputable
bs58 ^6.0.0 npm No Base58 encoding for legacy Solana-era signature format compat

Security Positives

✓ Stellar wallet authentication uses Ed25519 signature verification with timestamp anti-replay (MAX_CLOCK_DRIFT_SECONDS=300)
✓ Card details are AES-256-GCM encrypted at rest with a 32-byte validated key
✓ Nonce + anti-replay protection on card details access (REALIGN-003: X-AGENT-NONCE header, rate-limited to 5/hour)
✓ Owner can revoke agent access to card details (REALIGN-005)
✓ x402 payment flow includes a facilitator-based verify+settle with on-chain txHash as source of truth
✓ No credential exfiltration — API keys and secrets are used only for their intended payment services
✓ No curl|bash, no eval(), no subprocess with shell, no suspicious network patterns
✓ Dependencies are from reputable packages (@stellar/stellar-sdk, tweetnacl) with pinned versions in SDK
✓ Config file written with mode 0o600 (owner read/write only)
✓ SQL migrations use parameterized queries (no SQL injection vectors found)