中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:22 hr ago Rescan
5 /100
spraay
Payment infrastructure for AI agents - batch crypto payments, x402 micropayment gateway, agent-to-agent USDC settlement, multi-chain payroll, Bitcoin PSBT transactions, and robot task commissioning via RTP
Spraay is a legitimate payment infrastructure skill with no malicious behavior detected. All operations are properly documented, and network calls exclusively target the declared gateway.spraay.app endpoint.
Skill Namespraay
Duration35.8s
Enginepi
Safe to install
Approve for use. The skill performs standard payment gateway operations through documented curl commands with no credential harvesting, data exfiltration, or obfuscation.
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned bins: [curl] in SKILL.md
Filesystem NONE READ ✓ Aligned scripts/spraay.sh:79 - ipfs-pin reads files via base64 for legitimate IPFS funct…
Shell NONE WRITE ✓ Aligned scripts/spraay.sh is a wrapper script; shell execution is limited to curl comman…
10 findings
🔗
Medium External URL 外部 URL
https://spraay.app
SKILL.md:25
🔗
Medium External URL 外部 URL
https://gateway.spraay.app
SKILL.md:47
💰
Medium Wallet Address 加密货币钱包地址
0x1646452F98E36A3c9Cfc3eDD8868221E207B5eEC
SKILL.md:61
💰
Medium Wallet Address 加密货币钱包地址
0xAd62f03C7514bb8c51f1eA70C2b75C37404695c8
SKILL.md:217
🔗
Medium External URL 外部 URL
https://docs.spraay.app
SKILL.md:222
🔗
Medium External URL 外部 URL
https://x.com/Spraay_app
SKILL.md:225
🔗
Medium External URL 外部 URL
https://warpcast.com/plag
SKILL.md:226
🔗
Medium External URL 外部 URL
https://mempool.space/tx/abc123...
references/bitcoin-psbt.md:71
🔗
Medium External URL 外部 URL
https://agent.example.com/webhook/task-complete
references/rtp-protocol.md:72
💰
Medium Wallet Address 加密货币钱包地址
0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913
references/x402-gateway.md:14

File Tree

6 files · 28.7 KB · 990 lines
Markdown 5f · 817L Shell 1f · 173L
├─ 📁 references
│ ├─ 📝 batch-payments.md Markdown 122L · 3.2 KB
│ ├─ 📝 bitcoin-psbt.md Markdown 129L · 2.8 KB
│ ├─ 📝 rtp-protocol.md Markdown 149L · 3.9 KB
│ └─ 📝 x402-gateway.md Markdown 191L · 5.4 KB
├─ 📁 scripts
│ └─ 🔧 spraay.sh Shell 173L · 5.0 KB
└─ 📝 SKILL.md Markdown 226L · 8.3 KB

Security Positives

✓ All network requests target declared gateway.spraay.app endpoint only
✓ No credential harvesting or environment variable iteration for sensitive keys
✓ No obfuscation techniques (base64, eval, atob) beyond standard file encoding for IPFS
✓ No remote script execution (curl|bash, wget|sh)
✓ No sensitive path access (~/.ssh, ~/.aws, .env)
✓ No reverse shell, C2, or data exfiltration to external IPs
✓ Bitcoin operations are non-custodial (PSBT keeps private keys client-side)
✓ Payment protocol uses x402 standard with USDC on Base via Coinbase CDP
✓ Full endpoint catalog documented with transparent pricing
✓ Open-source references provided (github.com/plagtech)