ClawHub

Mayar Payment Integration

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate Mayar payment integration, but it gives an agent live payment-account authority without enough built-in safeguards around confirmations, credentials, and customer data.

Install only if you intend to connect a Mayar account. Use sandbox credentials first, verify and preferably pin the MCP helper, store the API token as a secret, and require explicit confirmation before creating invoices, sending payment links, registering webhooks, or messaging customers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to store and transmit a live Mayar API token that enables payment-related actions, but it does not clearly warn that this credential is sensitive, high-impact, and must not be exposed in configs, logs, screenshots, or shared environments. In a payment integration context, omission of credential-handling guidance materially increases the risk of unauthorized invoice creation, transaction access, and broader account abuse if the token is leaked.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The examples transmit personally identifiable information such as customer name, email, and mobile number to an external payment/API tool without documenting consent, minimization, retention, or privacy expectations. In real deployments this can lead to privacy compliance failures, overcollection, or accidental leakage through logs, shell history, and operational tooling.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The WhatsApp automation examples send payment links and customer-related transaction details over an external messaging channel without warning about message confidentiality, recipient verification, or consent. If implemented carelessly, links or billing details could be sent to the wrong number, exposed on compromised devices, or processed in ways that violate privacy expectations.

VirusTotal

44/44 vendors flagged this skill as clean.

View on VirusTotal