ClawHub
Back to skill

Security audit

SohoPay

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed crypto-payment skill that can move real funds, but its sensitive behavior is documented and aligned with its purpose.

Install only if you intend to let this skill sign and submit SOHO Pay transactions. Use a dedicated low-balance wallet, prefer testnet first, verify the network, amount, merchant address, and repayment amount before each run, and never provide a private key that controls unrelated funds.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill requires access to a highly sensitive environment variable (`PRIVATE_KEY`) but the metadata shown here does not declare that capability as a permission. This creates a transparency and review gap: users or orchestration systems may invoke a skill with secret access they did not explicitly approve, increasing the risk of unintended key exposure or unauthorized fund-moving actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared description says the skill initiates payments, but the documented behavior also includes registration, status/profile inspection, ERC20 approvals, and debt repayment. This mismatch is dangerous because users, policy engines, or reviewers may approve the skill for a narrow payment use case while it actually has broader authority to submit additional on-chain transactions and modify token allowances and debt state.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill's stated purpose is to initiate payments, but it also performs an on-chain state-changing registration by calling registerAgent when the signer is not registered or active. This expands the authority and side effects of the skill beyond user expectation, causing an operator to unknowingly authorize an additional transaction that can enroll the wallet in protocol state and potentially enable future spending behavior.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The script can submit an on-chain registerAgent transaction, which expands the skill's effective capabilities beyond the declared purpose of merely initiating payments via EIP-712 signatures. This scope mismatch is dangerous because users or hosting agents may grant trust based on the manifest, while the code can mutate protocol state and incur gas costs or establish persistent authorization relationships.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script requires a raw PRIVATE_KEY from the environment and uses it to create a wallet capable of broadcasting transactions. In a skill advertised for payment initiation via signatures, this introduces unnecessary key-handling risk: compromise of the execution environment, logs, dependency chain, or misuse of the script could expose or abuse the key for broader on-chain actions than users expect.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill metadata says it initiates payments using EIP-712 signatures, but this script instead loads a raw PRIVATE_KEY and directly sends on-chain approve() and repay() transactions. That mismatch is dangerous because users or calling agents may grant the skill broader signing authority than expected, turning what should be an off-chain authorization flow into full transaction execution with token-spending power.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The file usage text advertises a repayment CLI, which conflicts with the skill's declared purpose of EIP-712 signature-based payment initiation. In an agent skill ecosystem, this kind of capability/documentation mismatch can mislead users, orchestrators, or policy systems about what authority the code actually exercises, increasing the chance of unsafe deployment or accidental key exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The natural-language interface encourages commands like "pay" and "repay" without a strong, immediate warning that these can create real blockchain transactions affecting mainnet funds and debt positions. In an agent setting, ambiguous NL prompts can be misinterpreted or triggered in automation, so insufficient pre-execution warning materially increases the chance of accidental fund movement.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"pay": "node scripts/pay.js"
  },
  "dependencies": {
    "ethers": "^6.13.0",
    "dotenv": "^16.0.0"
  },
  "engines": {
Confidence
91% confidence
Finding
"ethers": "^6.13.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "ethers": "^6.13.0",
    "dotenv": "^16.0.0"
  },
  "engines": {
    "node": ">=18.0.0"
Confidence
90% confidence
Finding
"dotenv": "^16.0.0"

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.