ClawHub

PayRam MCP Integration

Security checks across malware telemetry and agentic risk

Overview

This payment skill is coherent with PayRam’s purpose, but it asks users or agents to run unreviewed setup code and automate crypto-payment infrastructure with weakly scoped safeguards.

Install only after reviewing the PayRam MCP server and setup scripts yourself. Do not run the curl-to-bash command on a production or wallet-bearing machine; pin and inspect scripts first, use testnet or empty wallets, protect .payraminfo secrets with strong local permissions or a secret manager, and require explicit human approval for every payout, wallet deployment, contract deployment, or production payment action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill documentation instructs users or agents to clone a repository, export credentials, and run a headless bootstrap script that creates wallets and deploys contracts. For a payment-integration skill, this materially expands the trust boundary and can cause credential exposure, unintended account provisioning, on-chain actions, or execution of unreviewed code without meaningful user scrutiny.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The self-hosted setup uses curl piped directly into bash, which executes remote code immediately from a network source. This is dangerous because any compromise of the source, transport, repository, or referenced script can lead to arbitrary code execution on the host, and the payment-skill context does not justify such an installation shortcut inside the skill instructions.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The manifest description contains broad, highly marketable trigger phrases such as 'Stripe alternative' and 'no KYC payments' that may cause the skill to be invoked in loosely related contexts. In an agent ecosystem, over-broad routing can steer users or agents toward payment setup, external MCP connections, or risky install instructions when they did not specifically request this product.

Missing User Warnings

High
Confidence
94% confidence
Finding
The instructions promote non-interactive credential setup for an agent and immediate execution of a headless script, but they do not warn about the security consequences of storing credentials in environment variables or running a script that provisions wallets and deploys contracts. This omission increases the chance that users or automated agents will execute sensitive operations without understanding the risks or verifying the code path.

Missing User Warnings

High
Confidence
99% confidence
Finding
Recommending a remote script piped into bash without any safety warning normalizes unsafe installation behavior and can directly lead to arbitrary code execution. Because this is presented as a frictionless self-hosted option, the skill context makes it more dangerous: users seeking payment infrastructure may be incentivized to run it quickly on production-like systems.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The documentation promotes fully autonomous payment workflows for crypto transactions without prominently warning that transfers are irreversible, can misroute funds, and may trigger payouts or service delivery without meaningful human review. In the context of a payment skill explicitly marketed for high-risk, no-KYC use cases, this omission increases the chance that agents or operators will deploy unsafe automation that causes financial loss or facilitates abuse.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explicitly instructs users to store authentication tokens and a wallet mnemonic in local plaintext files under `.payraminfo`. Those artifacts grant account and wallet control, and the guidance only says 'Do not commit' without warning about local compromise, file permissions, encryption, or secure secret handling. In a crypto payment skill, exposure of a mnemonic is especially severe because it can directly enable irreversible fund theft.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The `reset-local [-y]` command is described as wiping the local DB and API data, but the surrounding guidance does not prominently emphasize irreversible data loss before recommending it in operational flows. In a payments context, destructive reset actions can erase configuration, payment state, and wallet/project linkage, which may disrupt service or cause recovery issues if triggered casually or by automation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal