ClawHub

PayGents

Security checks across malware telemetry and agentic risk

Overview

PayGents appears to be a real crypto-payment helper, but it needs Review because malformed chain IDs can make some scripts run unintended local Node.js code.

Install only if you are comfortable reviewing or patching the scripts first. Use fixed known numeric chain IDs, avoid letting untrusted chat input choose script arguments, keep --out pointed at a dedicated receipt folder, and use your own RPC endpoints if wallet privacy matters. Always verify recipient, token, chain, and amount in the wallet before approving any payment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README describes sending payment deeplinks via chat platforms and verifying transactions on-chain, but it does not clearly warn users that wallet addresses, payment metadata, and transaction details may be exposed to third-party messaging providers and RPC endpoints. In a payment-related skill, this omission can lead users to underestimate privacy, tracking, and metadata leakage risks, especially when conversations occur over Telegram, Discord, or similar services.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends the user-supplied wallet address to one or more third-party RPC endpoints to retrieve balances, but the CLI usage text and interface do not clearly disclose that this reveals the queried address, IP metadata, and timing information to external infrastructure. In a payment-related agent skill, this can expose sensitive financial relationship and behavioral metadata, especially when querying across multiple chains, even though no funds are directly at risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal