ClawHub

Crypto payments for agents and humans, full stack with Payram

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed PayRam payment-integration guide, but users should review the remote MCP server and generated code before running it.

Install only if you intend to use PayRam. Treat the MCP helper as third-party code: inspect the repository, prefer a pinned commit or release, run it in a development environment first, and review generated payment, webhook, payout, and .env files before applying them to production.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description and use-cases are broad enough to trigger on many generic crypto/payment requests, increasing the chance an agent invokes this skill outside a clearly user-approved PayRam context. Because the skill promotes self-hosted payments, no-KYC use cases, and becoming a PSP, accidental invocation could steer users toward risky infrastructure or compliance-sensitive guidance they did not explicitly request.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The integration flow directs the agent to scan the codebase and generate a .env template without warning that these actions may inspect repository contents or create/modify configuration artifacts. In an agentic environment, that can lead to unintended exposure of sensitive project context, unsafe handling of secrets, or unreviewed filesystem changes, especially in production or mixed-trust repositories.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal