ClawHub

Crypto Payments Saas

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate PayRam crypto billing helper, but its generated payment and webhook code should be reviewed before real use.

Install only if you intend to use PayRam for crypto billing. Treat generated routes, webhooks, payout logic, and subscription activation code as financial infrastructure: use a test environment first, verify webhook signatures and idempotency, keep secrets out of prompts and client-side code, and require human review before production payouts or entitlement changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill encourages generating webhook handlers, payment routes, payout snippets, and subscription-activation logic that directly affect billing state and customer access, but it provides no warning that the produced code may process payment events, mutate entitlements, or require strict verification and testing. In a payments context, users may paste generated code into production without understanding webhook authenticity checks, idempotency, replay protection, and safe fulfillment requirements, which can lead to unauthorized activation or billing errors.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill presents scaffolding a complete SaaS payment system as a quick, turnkey action without disclosing that it may generate production-relevant billing, webhook, and payout integration code. In a financial workflow, this increases the chance that developers will trust and deploy opaque generated logic that can create invoices, process payment confirmations, or provision service incorrectly, causing financial loss or unauthorized access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal