ClawHub
Back to skill

Security audit

confidential-agentic-payment-stack

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed blockchain payment skill, but it can sign real transactions and make paid requests from command arguments without built-in confirmation or spend limits.

Install only if you intend to let the agent sign blockchain transactions and make x402 paid requests. Start on Sepolia, verify chain, contract addresses, recipients, amounts, and delegation targets before each run, prefer Ledger or DFNS over a raw private key, and avoid sending sensitive prompts or proprietary code through the demo API commands unless you trust the configured services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This file adds broad research, LLM summarization, and image-generation behavior that is not necessary for the declared payment-focused skill. In an agent context, this kind of scope expansion increases attack surface and can cause the skill to exfiltrate user prompts or perform unexpected paid actions through external services under the guise of a payment utility.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation description is broad enough to match many ordinary payment, wallet, escrow, identity, and delegation requests. In an autonomous-agent setting, overbroad triggering increases the chance the skill is invoked for high-risk on-chain actions without sufficiently specific user intent, which can lead to unintended transfers or privilege-granting operations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation encourages irreversible financial operations such as wrapping, unwrapping, paying, and escrow funding without prominent warnings about on-chain finality, contract risk, address mistakes, or loss of funds. In a blockchain payment skill, omission of explicit financial-risk warnings materially increases the likelihood of unsafe use by operators or autonomous agents.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code submits an on-chain payment transaction immediately after parsing CLI arguments, with no explicit confirmation, preview, or policy gate in this file. In an agent skill context, that increases the risk of unintended or prompt-influenced transfers because a caller can trigger real value movement once the wallet is available, especially on Mainnet as noted in the skill metadata.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends the user query, search results, and derived analysis to three external network endpoints without any visible notice, consent flow, or data-minimization controls. Because this is an agent skill tied to payments, users may not expect their inputs to be forwarded to search, LLM, and image services, creating privacy and data-handling risk if sensitive prompts are passed through.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code transmits user-supplied source code to an external review service via an HTTP request, but this file provides no explicit user warning, consent flow, or data-sensitivity checks before exfiltrating potentially proprietary code. In this skill's context, the risk is heightened because the tool is designed to make paid remote requests automatically, so users may not realize sensitive code is leaving the local environment and being sent to a configurable endpoint.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The manifest documents multiple highly sensitive secrets, including raw private keys, DFNS auth material, and a Ledger bridge shared secret, but provides no explicit warning about secure storage, logging, redaction, or avoiding prompt/context exposure. In an agent ecosystem, operators may paste these values into insecure config stores, transcripts, or runtime environments, increasing the likelihood of wallet compromise and unauthorized on-chain transactions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code submits an on-chain unwrap transaction and may also automatically finalize it, releasing underlying tokens, without any explicit user confirmation or warning at the point of execution. In an agent skill context, that creates a real risk of unintended asset movement if the skill is invoked with attacker-influenced parameters or through prompt/agent confusion, especially because unwrap/finalize are state-changing operations affecting user funds.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code performs two state-changing token operations in sequence—an ERC-20 approval followed by a wrap—without any explicit user-facing confirmation, preview, or safeguard in this file. In an agent skill that can move funds on-chain, silently executing approvals and transfers increases the risk of unintended spending if the skill is invoked with the wrong amount, wrong network context, or by an upstream workflow the user did not fully authorize.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal