ClawHub

Orthogonal API Platform - Access paid APIs using the SDK, Run API, or x402 direct payment. Search, discover, and integrate APIs with simple tool calls.

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Orthogonal API skill, but it enables paid API calls and optional blockchain payments without clear per-call consent, spend limits, or private-key safety guidance.

Install only if you want the agent to discover and call paid Orthogonal APIs. Require explicit approval before any /v1/run or x402 request, review the target API, request body, destination, and price, use a restricted Orthogonal API key, and never use a main wallet private key; use a dedicated low-balance wallet or safer secret storage for payment flows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly documents a paid execution path (`/v1/run`) that spends Orthogonal credits, but it does not provide a clear user-facing warning that invoking the tool causes billable actions. In an agent setting, this can lead to unintended charges if the model autonomously follows the documented workflow and triggers paid API calls without informed user consent.

Missing User Warnings

High
Confidence
98% confidence
Finding
The direct-payment example shows use of a blockchain private key and a payment-wrapping fetch flow without any warning about secret handling, wallet risk, or irreversible on-chain spending. In an agent context, this is especially dangerous because users may copy the pattern into automation that exposes private keys or authorizes unintended blockchain payments.

External Transmission

Medium
Category
Data Exfiltration
Content
**Endpoint**: `POST /v1/run`

```bash
curl -X POST 'https://api.orth.sh/v1/run' \
  -H 'Authorization: Bearer $ORTHOGONAL_API_KEY' \
  -H 'Content-Type: application/json' \
  -d '{
Confidence
76% confidence
Finding
https://api.orth.sh/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal