ClawHub

Send USD Skill

WarnAudited by ClawScan on May 10, 2026.

Overview

This payment skill says it sends real USD, but the code only fabricates a successful transfer without authentication, provider confirmation, or logging.

Do not rely on this skill for real payments in its current form. It appears to be a placeholder that reports success without sending money; install or use it only for testing unless it is updated to use a trusted payment provider with authentication, explicit approval, limits, and provider-confirmed transaction records.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High
#ASI09: Human-Agent Trust Exploitation
What this means

A user or agent could believe money was actually sent when no real transfer occurred, causing unpaid services, accounting errors, or misplaced trust in a fake transaction ID.

Why it was flagged

The implementation returns a successful transaction result even though it explicitly says the payment-provider integration is only a TODO and the transfer is simulated.

Skill content
// TODO: Integrate with your payment provider here
// Simulated successful transfer
const result = {
  success: true,
  transaction_id,
Recommendation

Label this as a demo or test-only skill unless it performs a real provider-confirmed transfer. Do not return success or a transaction ID until an authenticated payment provider confirms the transfer.

Medium
#ASI02: Tool Misuse and Exploitation
What this means

If used as a real payment workflow, the agent would have an unsafe transfer interface with unclear authorization and no reliable confirmation controls.

Why it was flagged

For a financial-transfer interface, the code only validates basic parameter types and amount minimums before returning success; it does not enforce authentication, user approval, balance checks, rate limits, or a provider-confirmed recipient.

Skill content
const { from_agent, to_agent, amount = 1.0, memo = "" } = ctx.params;
...
// Simulated successful transfer
const result = {
  success: true,
Recommendation

Require explicit per-transfer user confirmation, authenticated account binding, amount limits, recipient verification, balance/provider checks, and auditable failure handling before exposing this as a payment skill.