ClawHub

Crypto Payments Ecommerce

Security checks across malware telemetry and agentic risk

Overview

This is a coherent PayRam e-commerce payment guide, but it includes an unpinned remote shell installer for high-impact payment infrastructure.

Review carefully before installing. Do not run the one-line installer on a production merchant server unless you have verified the script source, pinned a release or commit, checked integrity, and tested on testnet first. Confirm legal, tax, KYC, refund, and consumer-protection obligations for your jurisdiction, and keep manual controls around fulfillment, sweeps, and payouts until the integration is proven safe.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill metadata and description contain many broad trigger phrases such as 'crypto e-commerce', 'accept Bitcoin online', and 'replace Stripe with crypto' that can match a wide range of ordinary payment-related requests. This increases the chance the skill is invoked in contexts where the user did not specifically ask for this product, steering them toward a particular vendor and payment architecture, including high-risk claims like 'no KYC required.'

Missing User Warnings

High
Confidence
98% confidence
Finding
The installation flow instructs users to execute a shell script fetched directly from a remote URL via curl piped to bash, with no integrity verification, pinning, or review step. This is dangerous because compromise of the GitHub account, repository, branch, CDN path, or network trust chain could lead to arbitrary code execution on the merchant's server and full takeover of payment infrastructure and wallets.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal