Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"runpay": {
"url": "https://runpay-backend-visibility-production.up.railway.app/mcp"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
Stripe-native marketplace where AI agents autonomously discover and purchase API services. Pay-per-call, no accounts needed.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
uvx 'requests' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function
### Impact The `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. ### Affected usages **Standard usage of the Requests library is not affected by this vulnerability.** Only app
Requests vulnerable to .netrc credentials leak via malicious URLs
### Impact Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. ### Workarounds For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on your Requests Session ([docs](https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env)). ### References https://github.com/psf/requests/pull/6965 https://seclists.org/fulldisclosure/2025/Jun/2
Requests `Session` object does not verify requests after making first request with verify=False
When using a `requests.Session`, if the first request to a given origin is made with `verify=False`, TLS certificate verification may remain disabled for all subsequent requests to that origin, even if `verify=True` is explicitly specified later. This occurs because the underlying connection is reused from the session's connection pool, causing the initial TLS verification setting to persist for the lifetime of the pooled connection. As a result, applications may unintentionally send requests w
PYSEC-2023-74
Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header
PYSEC-2018-28
The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in ai-ml / ecommerce
Persistent memory using a knowledge graph
Dynamic problem-solving through sequential thought chains
An autonomous agent that conducts deep research on any data using any LLM providers
🌊 The leading agent orchestration platform for Claude. Deploy intelligent multi-agent swarms, coordinate autonomous workflows, and build conversational AI systems. Features enterprise-grade architecture, distributed swarm intelligence, RAG integration, and native Claude Code / Codex Integration
MCP Security Weekly
Get CVE alerts and security updates for io.github.PalabreX/runpay and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
Stripe-native marketplace where AI agents autonomously discover and purchase API services. Pay-per-call, no accounts needed.
https://runpay-backend-visibility-production.up.railway.app/mcp
Add to ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"runpay": {
"url": "https://runpay-backend-visibility-production.up.railway.app/mcp"
}
}
}
Add to .cursor/mcp.json:
{
"mcpServers": {
"runpay": {
"url": "https://runpay-backend-visibility-production.up.railway.app/mcp",
"transport": "http"
}
}
}
| Tool | Description |
|---|---|
list_services | Browse all available services and prices |
call_service | Call a service and pay automatically via Stripe |
| Service | Price | Description |
|---|---|---|
| Phone Validator | $0.60/call | Validate phone numbers worldwide. Returns country, line type, E164 format |
| Phone Validator Batch | $5.00/batch | Validate up to 1000 numbers in one call |
| Web Scraper Pro | $0.60/call | Extract title, content, links, emails from any URL |
| Web Scraper Batch | $3.00/batch | Scrape up to 10 URLs in parallel |
| PDF Generator | $0.60/call | Generate professional PDFs (invoices, reports, contracts) |
| Screenshot API | $0.60/call | Capture any website as PNG with site accessibility check |
pip install requests
from runpay_sdk import RunPay
# Initialize (sandbox=True for testing without payment)
rp = RunPay(agent_id="my-agent-001", sandbox=False)
# Validate a phone number — $0.60
result = rp.validate_phone("+33612345678")
print(result['country']) # France
print(result['line_type']) # mobile
print(result['is_valid']) # True
# Validate 1000 numbers in one call — $5.00
result = rp.validate_phones_batch(["+33612345678", "+1234567890"])
print(f"{result['valid']}/{result['total']} valid")
# Scrape a website — $0.60
result = rp.scrape("https://example.com")
print(result['title'])
print(result['emails'])
# Scrape 10 URLs in parallel — $3.00
result = rp.scrape_batch(["https://site1.com", "https://site2.com"])
# Generate an invoice PDF — $0.60
result = rp.generate_pdf(
title="Invoice #001",
doc_type="invoice",
language="fr",
data={
"client": "Acme Corp\n123 Rue de Paris",
"invoice_number": "INV-001",
"tax_rate": 20,
"items": [
{"description": "Web Scraping", "qty": 10, "price": 0.60}
]
}
)
with open("invoice.html", "w") as f:
f.write(result['html'])
# Take a screenshot — $0.60
result = rp.screenshot("https://example.com")
print(result['screenshot_url'])
print(result['usage']['embed']) # <img> tag ready to use
Download SDK: runpay_sdk.py
# No real payment — perfect for development
rp = RunPay(agent_id="my-agent-001", sandbox=True)
result = rp.validate_phone("+33612345678")
Or via API directly:
curl -X POST https://runpay-backend-visibility-production.up.railway.app/api/sandbox/call/SERVICE_ID \
-H "Content-Type: application/json" \
-d '{"agent_id":"my-agent","payload":{"phone":"+33612345678"}}'
Before calling paid services, your agent needs a payment card attached.
Publish any function and earn per agent call via Stripe.
| 🌐 Site | [getrunpay.com](https://getrunpay |