ClawHub

soho

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a real SOHO Pay integration, but it gives an agent raw wallet-key authority to make mainnet financial transactions with limited built-in safeguards.

Install only if you intend to let an agent operate a dedicated, low-balance SOHO Pay wallet. Prefer testnet first, avoid using a personal or high-value wallet key, verify the contract and recipient addresses independently, and require manual approval for network, amount, recipient, registration, approval, payment, and repayment actions before broadcasting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill explicitly requires and uses the sensitive PRIVATE_KEY environment variable, yet the metadata shown in this file does not declare corresponding permissions/capabilities. That mismatch can undermine platform trust boundaries and lead operators to install a skill without realizing it will access signing credentials capable of moving real funds.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The declared description says the skill initiates payments, but the documented behavior also includes agent registration, profile/status inspection, USDC approval, and debt repayment. This broader authority is security-relevant because users or orchestrators may permit the skill under a narrower mental model, while it can perform additional state-changing financial actions affecting funds, allowances, and account status.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill is described as initiating payments, but it also performs an on-chain state-changing registration via registerAgent when the payer is not already registered or active. This expands the authority and side effects of the skill beyond its stated purpose, creating a confused-deputy risk where a user invoking a payment flow may unintentionally authorize account enrollment or other persistent protocol state changes.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script contradicts the skill description by loading a raw PRIVATE_KEY, issuing on-chain ERC-20 approve() transactions, and directly submitting repay() with a hot wallet instead of using EIP-712 signed messages. This increases key-handling risk, expands the scope of what the agent can do on-chain, and can mislead operators into granting direct signing authority when they expect an off-chain signature flow with narrower trust assumptions.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This script performs only read-only blockchain calls, but it unnecessarily requires a PRIVATE_KEY and instantiates a Wallet solely to derive the borrower address. Requiring operators to load a live private key into the environment for a status check expands key exposure risk through shell history, process environments, CI logs, crash dumps, and developer workstation compromise, which is especially concerning in a payment-related skill.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The natural-language trigger for `pay <amount> to <merchant_address>` is broad for a skill that can sign and submit financial transactions using a local private key. In an autonomous or multi-skill agent setting, ambiguous phrasing increases the risk of accidental activation, prompt-injection-assisted transaction requests, or unintended payment execution without strong user intent verification.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal