ClawHub

Mayar.id Payment

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Mayar payment integration, but it deserves review because it gives an agent production payment-account capability with weakly scoped approval and secret-handling guidance.

Install only if you trust the Mayar MCP endpoint and are comfortable giving the agent access to a Mayar payment API token. Start in sandbox, keep tokens out of shared configs and logs, require human approval before creating invoices or messaging customers, verify recipient and amount details, and avoid copying the `execSync` examples without replacing them with safer argument-based tool calls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to place the API token directly into MCP server arguments/header configuration, which can leak credentials via process listings, shell history, copied config files, logs, or screenshots. This is not overtly malicious, but it normalizes unsafe secret handling for a payment credential that could allow unauthorized payment actions or data access.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly instructs users to send customer names, email addresses, phone numbers, and payment details to an external payment processor, but it does not warn about privacy, consent, or data-handling obligations. In a payment workflow this omission increases the risk of unauthorized sharing of personal data and non-compliant use in regulated or privacy-sensitive environments.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The WhatsApp workflow sends customer contact data and a payment link through a third-party messaging channel without any warning about exposure, consent, or the sensitivity of payment-related communications. This can lead to privacy leakage, misdelivery, or phishing-style confusion if users adopt the pattern without safeguards.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The webhook examples include customer payment and contact data but do not instruct implementers to protect, minimize, or securely store personally identifiable information. In a payment integration context, this omission can lead developers to log, persist, or process sensitive webhook payloads insecurely, increasing privacy and compliance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The authentication section tells users to use Bearer tokens and retrieve API keys, but gives no warning about secure secret storage, rotation, or preventing client-side exposure. For a payment API, poor secret-handling guidance can directly lead to credential leakage, unauthorized API access, invoice/payment manipulation, and account compromise.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal