Back to skill

Security audit

Mayar.id Payment

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Mayar payment integration, but it deserves review because it gives an agent live payment-account and customer-messaging capability with weak scoping and secret-handling guidance.

Install only if you trust the Mayar MCP endpoint and are comfortable giving the agent access to a Mayar payment API token. Use sandbox first, avoid placing raw tokens in shared configs or command arguments when safer secret mechanisms are available, require human confirmation before creating invoices or messaging customers, and add privacy/retention controls for customer and transaction data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users to store and use a payment-platform API token and process customer payment data, but it does not include any security guidance about handling secrets, protecting customer PII, or avoiding logging/exposing tokens in configs and command lines. In a payment integration context, this omission increases the likelihood of credential leakage or unsafe data handling by downstream users and agents.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill explicitly handles customer names, emails, phone numbers, transaction status, and WhatsApp payment messaging, but it provides no privacy notice, data-minimization guidance, or warning about handling sensitive customer/payment-related data. This increases the risk that operators will collect, transmit, or retain personal data without appropriate consent, safeguards, or compliance controls.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The webhook examples and guidance show processing payment events containing customer name, email, and mobile data, but they do not warn implementers to treat this as personal data, minimize storage, protect logs, and secure the receiving endpoint. In practice, developers may log full payloads, expose webhook histories, or handle PII without access controls or retention limits, increasing privacy and data exposure risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The examples create invoices and send WhatsApp messages containing customer name, email, phone number, payment links, and transaction details without any notice, consent step, or privacy guidance. In a payment/messaging integration context, this can normalize unsafe handling of personal data and lead implementers to automate external disclosures without appropriate user awareness or legal basis.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The reminder/reporting examples automatically send outbound WhatsApp messages based on invoice state, but do not disclose that these are automated communications or recommend opt-in/opt-out controls. This can cause unwanted contact, privacy complaints, and regulatory exposure if copied into production without user notification and messaging governance.

Credential Access

High
Category
Privilege Escalation
Content
// 3. Grant course access
  await grantCourseAccess(paidInvoice.customer.email);
  
  // 4. Send access credentials
  message({
    action: 'send',
    channel: 'whatsapp',
Confidence
77% confidence
Finding
access credentials

Session Persistence

Medium
Category
Rogue Agent
Content
---
name: mayar-payment
description: Mayar.id payment integration for generating invoices, payment links, and tracking transactions via MCP. Use when needing to: (1) Create payment invoices/links for customers, (2) Track payment status and transactions, (3) Generate WhatsApp-friendly payment messages, (4) Handle Indonesian payment methods (bank transfer, e-wallet, QRIS), (5) Manage subscriptions/memberships, or (6) Automate payment workflows for e-commerce, services, or digital products.
---

# Mayar Payment Integration
Confidence
72% confidence
Finding
Create payment invoices/links for customers, (2) Track payment status and transactions, (3) Generate WhatsApp-friendly payment messages, (4) Handle Indonesian payment methods (bank transfer, e-wallet,

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.