ClawHub

ASG Card

Security checks across malware telemetry and agentic risk

Overview

This payment-card skill is purpose-aligned, but it gives agents real spending power and exposes full card credentials with inconsistent documentation and incomplete guardrails.

Install only if you intentionally want an agent to spend real funds and manage virtual cards. Use a dedicated Stellar wallet with limited USDC, avoid storing high-value private keys in plaintext configs, require your MCP client to ask for approval before create_card, fund_card, get_card_details, freeze_card, or unfreeze_card, and do not allow PAN/CVV outputs to be logged, remembered, or sent through Telegram unless you accept that exposure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (31)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The migration enables RLS on sensitive tables but defines no policies, while claiming there is 'no direct user access.' In PostgreSQL, enabling RLS alone does not implement the intended access model unless the deployment also guarantees only privileged roles can access these tables; misconfigured grants or non-bypassing roles can lead to unexpected access failures or, worse, unintended exposure if assumptions about service-only access are wrong.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The file exposes a state-changing maintenance endpoint that deletes expired nonces, which goes beyond the documented read-only ops surface. Although it is protected by the same opsAuth middleware and uses parameterized SQL, this expands the privileged attack surface and allows anyone with ops credentials to trigger destructive maintenance on demand, including with attacker-chosen retention and batch parameters.

Intent-Code Divergence

High
Confidence
93% confidence
Finding
The module header explicitly claims the ops router only exposes GET /ops/metrics and GET /ops/rollout, but the code also implements POST /ops/nonce-cleanup with deletion side effects. This documentation mismatch is dangerous because security reviewers, deployers, and agent integrators may treat the route as read-only and fail to account for a hidden privileged mutation endpoint in a payments-related system.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The client exposes a method to retrieve full PAN, expiry, and CVC, which materially increases the sensitivity of the skill beyond ordinary card management. In an agent context, returning PCI data to higher layers or model-controlled workflows can enable unauthorized disclosure, misuse of card credentials, and expand compliance scope; the skill description mentions creating and managing cards, but not handling raw card secrets.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The page content states the product operates on Base and uses Coinbase/x402 infrastructure, while the skill metadata describes Stellar-based operation. In a payment-card skill, this kind of network-scope mismatch can mislead users or downstream agents about where funds settle and which trust assumptions, integrations, and controls apply.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The operational description claims x402-native, virtual cards API, and USDC on Base, contradicting the stated Stellar-based payment flow in the skill metadata. For financial infrastructure, inaccurate operational claims can cause incorrect integration decisions, misrouted payments, or unsafe reliance on controls that exist on one network but not another.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The step-by-step workflow describes Base settlement and Coinbase x402 verification instead of the manifest’s Stellar-based flow. In a skill intended for autonomous financial actions, workflow inaccuracies are security-relevant because agents or operators may perform actions under false assumptions about settlement finality, counterparties, and payment verification paths.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The embedded proposal text materially conflicts with the skill's declared payment rails and wallet model by advertising PYUSD/PayPal settlement instead of USDC on Stellar. In a financial/payment skill, contradictory documentation can mislead operators, integrators, or downstream agents into using the wrong asset flow or making incorrect trust/compliance assumptions, which creates real security and operational risk even though this file is only front-end content.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The 'How it works' section describes a specific transaction sequence involving x402 payment and PYUSD on-chain settlement that conflicts with the stated USDC/Stellar behavior of the skill. Because the content presents operational steps, readers may treat it as authoritative implementation guidance, leading to integration mistakes, incorrect security assumptions, and possible mishandling of funds or compliance workflows.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The repeated references to PYUSD treasury, settlement, and partner value propositions reinforce a false representation of the skill's financial model. In the context of autonomous payment infrastructure, persistent misrepresentation increases the chance of operator confusion, bad integration decisions, and trust/compliance issues, making the discrepancy more dangerous than ordinary marketing inconsistency.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The UI promises wallet-based authentication, but the implementation only prompts for a wallet address and then trusts that value in privileged API calls. Any user can enter someone else's Stellar address and potentially view link status, generate Telegram link tokens, or revoke Telegram access for that wallet if the backend relies on the X-Wallet-Address header.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README encourages running an onboarding command that creates a local wallet file containing sensitive Stellar key material and modifies MCP/client configuration, but it does not prominently warn users about those side effects before execution. In an agent skill context, silent creation of persistent secrets and environment changes is more dangerous because users may let automation run commands without fully understanding that wallet credentials will be stored on disk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README advertises a tool that returns full card details including PAN, CVV, and expiry without a prominent warning that this is highly sensitive PCI-like payment data that must not be logged, echoed to chat, stored in prompts, or exposed to other tools. In an MCP/agent setting this is especially risky because agents commonly serialize tool outputs into transcripts, memory, telemetry, or downstream integrations, which could leak usable card credentials.

Vague Triggers

Medium
Confidence
77% confidence
Finding
Broad activation language such as enabling agents to autonomously create and manage payment cards lacks tight trigger constraints or user-consent boundaries. In a financial skill, this increases the risk of accidental invocation, prompt-induced misuse, or unauthorized spending/card lifecycle actions initiated by an agent without sufficiently specific authorization.

Missing User Warnings

High
Confidence
93% confidence
Finding
The skill exposes highly sensitive financial material, including wallet secrets and full card details such as PAN, CVV, and expiry, but the description does not clearly warn users about these risks. Without explicit handling guidance, users and downstream agents may log, echo, store, or transmit credentials and cardholder data insecurely, creating serious fraud and compliance exposure.

Missing User Warnings

High
Confidence
94% confidence
Finding
The skill emphasizes autonomous payments and card funding but omits clear warnings that these actions may be financial, irreversible, or difficult to recover once executed on-chain or with a card issuer. In this context, the absence of strong warnings and consent controls makes unintended fund movement significantly more dangerous than in a non-financial skill.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This module sends operational and user-linked information to Telegram, a third-party messaging platform, including wallet fragments, Telegram usernames/IDs, webhook summaries, transaction details, and command activity. Even if intended for internal administration, this creates an external disclosure channel for potentially sensitive financial and identity-related data, and users may not reasonably expect that their activity is replicated to Telegram admins.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The webhook processes /start, /status, /help, and callback actions for any chat that can reach the bot, with no authorization check against an approved admin chat/user list. In this skill's context, the bot exposes operational status and setup guidance over Telegram, so an unauthorized user who discovers or contacts the bot could receive internal system information intended only for administrators.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This code retrieves full PAN, expiry, and CVV and sends them into a Telegram chat message, which is a sensitive channel not designed for PCI-secret handling. Although the values are wrapped in Telegram spoilers and a delete button is provided, the data is still exposed in chat history, to Telegram clients, notifications, screenshots, backups, or compromised sessions, and there is no strong re-authentication, explicit consent warning, or guaranteed auto-deletion.

Missing User Warnings

High
Confidence
96% confidence
Finding
This route returns full PAN/CVV/expiry and billing address material directly in the API response, which greatly increases the chance of accidental exposure through agent logs, proxies, browser history, telemetry, or downstream integrations. Even with a short-lived wrapper like `detailsEnvelope`, transmitting raw card secrets in-band is highly sensitive and can enable immediate fraudulent card use if any intermediary or caller is compromised.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users to authenticate with a Stellar private key and to store it in a local config file or environment variable, but it does not include explicit warnings about the sensitivity of this credential or the risks of leakage through shell history, logs, backups, or multi-user systems. Because this key authorizes wallet activity, compromise could allow unauthorized payments or loss of funds.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README advertises a command that retrieves card details including PAN, CVV, and expiry, but provides no warning about the sensitivity of this payment data or the risk of exposing it in terminals, logs, screenshots, scrollback, or shared environments. In a CLI for autonomous agents handling virtual cards, this materially increases the chance of accidental disclosure and fraudulent card use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The login flow accepts a Stellar private key interactively and persists it to ~/.asgcard/config.json, which creates a long-lived plaintext secret on disk with no explicit warning or consent step. In this skill's context, that key directly controls a blockchain wallet used to create/fund cards, so compromise of the local machine, backups, logs, or home-directory access could lead to theft of funds or unauthorized card operations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly promotes fully autonomous card creation, funding, and retrieval of sensitive card details, but does not include prominent warnings, consent requirements, or guardrails around financial loss and exposure of payment credentials. In an agent context, this increases the chance that users enable a tool capable of spending funds and revealing PAN/CVV data without understanding the consequences, which can lead to unauthorized transactions or sensitive payment-data leakage.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README explicitly shows accessing and printing `detailsEnvelope`, which the comment indicates contains `cardNumber`, `cvv`, and `expiry`. In an agent-oriented payments SDK, examples strongly influence implementation, so this pattern can lead developers to log full payment card data into consoles, logs, traces, or telemetry systems, creating PCI-sensitive data exposure and increasing risk of card theft or misuse.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal