ClawHub

Clawallex

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Clawallex payment-card skill, but it can create USDC-funded virtual cards and stores account credentials locally.

Install only if you trust Clawallex and intend to let an agent work with this payment account. Use a dedicated or limited API key when possible, protect ~/.clawallex on shared machines, approve every payment, subscription, refill, and card-control change explicitly, and never let full PAN/CVV or API secrets appear in chat logs or saved agent memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to connect existing accounts with API keys and says credentials will be saved, but it provides no warning about the sensitivity of those keys, where they are stored, or how to protect them. In an agent context, unclear credential-handling guidance can lead to insecure storage, overbroad access, or accidental exposure of financial account credentials.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README presents signup, setup, payment, and subscription creation as routine agent commands without clearly warning that these actions can spend funds, create cards, or initiate real financial activity. In a payment skill, this omission increases the risk of users or downstream agents triggering unintended transactions without informed confirmation or spending safeguards.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill asks the user to provide an API key and secret, but does not warn at that point that the credentials will be saved locally for later reuse. Collecting high-value secrets without immediate disclosure of storage behavior undermines informed consent and raises the risk of accidental persistence on shared or insecure systems.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal