setup-services

Functional intent is benign: enable OpenSpend CLI and configure Coinbase Payments MCP to perform authenticated and paid workflows. However, the recommended installation and runtime patterns are high-risk from a supply-chain perspective: unverified curl|sh installer and runtime npx -y execution embedded in persistent config allow arbitrary remote code execution without integrity checks. These patterns substantially increase the possibility of credential exposure, data exfiltration, or lateral compromise if upstream artifacts are compromised. Before following these instructions, apply mitigations: prefer package manager installs or pinned versions, verify checksums/signatures, avoid piping remote scripts directly to shell, avoid embedding unpinned npx -y invocations in persistent configs, run initial installs in isolated/sandboxed environments, and audit the remote installer and npm package source. If unable to verify upstream artifacts, do not proceed with these install/run patterns.