Skillv1.4.2

ClawScan security

PayRam MCP Integration · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 3, 2026, 10:58 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's documentation and runtime instructions request and encourage activities (downloading/executing scripts, creating and storing wallet mnemonics/tokens, connecting to a remote MCP) that are not reflected in the declared requirements, and include high-risk install/run patterns — proceed only after manual review and isolation.
Guidance: Do not run the suggested curl|bash or headless scripts without manual review and isolation. Confirm the upstream GitHub repos and inspect the setup scripts line-by-line before executing. Treat any PAYRAM_MNEMONIC or saved token files as highly sensitive — never provide real mainnet mnemonics or private keys to an untrusted script or agent. If you intend to experiment, do so in an isolated VM or container with ephemeral keys and testnet funds only. Verify legal/AML compliance for your use case — the 'no KYC / no signup' pitch may expose you to regulatory or platform risk. If you need this capability, prefer: (1) auditing the repository code, (2) self-hosting in an air-gapped or well-monitored environment, (3) using ephemeral test keys, and (4) ensuring the agent cannot autonomously exfiltrate files or secrets to external endpoints without explicit approval.

Review Dimensions

Purpose & Capability: concernThe skill claims 'no KYC, no signup, no API key' and declares no required env vars/credentials, but the SKILL.md and headless docs instruct the agent operator to provide PAYRAM_EMAIL, PAYRAM_PASSWORD, PAYRAM_MNEMONIC and other env vars and to run signup/signin/setup flows. That mismatch (declared requirements: none vs instructions: many secrets and auth-related variables) is incoherent.
Instruction Scope: concernThe runtime instructions tell agents to clone repositories, run headless scripts, execute deploy scripts, create wallets, store tokens and mnemonics in .payraminfo files, and to run curl|bash install lines. These steps go beyond simple code snippets generation — they create persistent secrets on disk, deploy smart contracts, and can cause network interactions with payram servers or public RPCs. The instructions also reference connecting to a hosted MCP endpoint (https://mcp.payram.com/mcp), which will send data off-host; none of this is declared in the skill metadata.
Install Mechanism: concernAlthough the skill is instruction-only (no packaged install spec), it explicitly recommends high-risk installation patterns: 'curl -fsSL https://raw.githubusercontent.com/PayRam/payram-scripts/main/setup_payram.sh | /bin/bash' and cloning & running scripts from GitHub. Download-and-execute from raw URLs and running remote setup scripts is a high-risk practice and should be manually audited before use.
Credentials: concernThe skill declares no required environment variables or primary credential, yet the headless setup requires many env vars (PAYRAM_EMAIL, PAYRAM_PASSWORD, PAYRAM_MNEMONIC, PAYRAM_API_URL, RPC URLs, etc.) including sensitive secrets (mnemonic, tokens). Requesting wallet mnemonics and writing them to plaintext files is highly sensitive and not reflected in the metadata — this is disproportionate and not properly declared.
Persistence & Privilege: notealways:false (normal) and agent invocation is allowed (normal). However, the documentation instructs creating persistent files (.payraminfo/headless-tokens.env and headless-wallet-secret.txt) that store authentication tokens and mnemonics on disk. This persistence is within the skill's stated self-hosted use-case but increases risk if run in an environment with other secrets or network access.