ClawHub

BTC Bot | Give your agent a wallet or credit card

Security checks across malware telemetry and agentic risk

Overview

This is a real-money shopping and payment skill with disclosed guardrails, but it gives an agent broad financial authority, card-data handling, outbound email/payment collection, and local decryption-script execution that need careful review.

Install only if you intentionally want this agent to handle real payments. Use strict approval mode, low limits, a dedicated low-limit card or wallet, merchant allowlists where possible, and avoid the main-agent card decryption fallback. Treat the API key and delivered card files as sensitive secrets, inspect or sandbox any decrypt script before running it, and require explicit confirmation before purchases, invoice emails, payment links, or fulfillment actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The guide explicitly supports purchases from arbitrary URLs (`merchant=url`), which materially weakens the stated promise of strict purchasing controls. In a shopping/payment skill, this broadens the trusted surface from curated merchants to effectively any store, increasing the risk of fraudulent, policy-violating, or unintended purchases through unvetted third-party sites.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill explicitly instructs the agent to carry out purchases on arbitrary third-party merchant sites after obtaining approval and decryption material. That expands behavior beyond a narrow wallet/API integration into open-ended web actions, which can be abused for prompt-injected checkout flows, unintended purchases, or exfiltration through hostile merchant pages.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The file authorizes spawning a sub-agent and executing a local decryption script that yields full cardholder data, materially increasing privilege and exposure. Even if intended for isolation, this creates a capability path for handling raw payment data and executing local code-like instructions, which is highly sensitive and dangerous in an agent environment.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The documentation first promises the main agent never sees decrypted card details, then explicitly allows a fallback where the main agent performs the decryption flow itself. This contradiction undermines operator trust and can lead deployments to expose full card data in the primary agent context, where it may be retained in memory, logs, traces, or downstream tools.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The manifest markets the skill as a controlled shopping wallet, but the documented functionality materially expands into merchant tooling such as payment collection, storefronts, and invoicing. This capability mismatch can mislead reviewers and users, causing them to grant the skill broader financial authority than they intended.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill exposes APIs for creating payment links, invoices, checkout pages, seller profiles, and public shops even though its stated purpose is spending control for shopping. This unnecessary expansion of financial capabilities increases attack surface and enables unintended money movement or external charging workflows beyond the user's expected scope.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents collection and return of buyer personal data such as buyer_email and optional buyer names, but provides no user-facing privacy notice, consent guidance, retention guidance, or data-handling limitations. In an agent context, this can lead operators to collect and expose PII through APIs, logs, webhooks, and downstream systems without understanding the privacy implications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill supports sending invoices and payment-related emails to recipients, but it does not clearly warn users that invoking these endpoints causes outbound communication to third parties. In an agent setting, silent email-sending capabilities can be abused for spam, phishing-like payment requests, or unintended disclosure of commercial and personal information to external recipients.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document describes a real purchase flow and includes transmission of shipping address data, but it does not prominently warn that invoking the endpoint initiates actual spending and sends personal data to external infrastructure/merchants. In an agent skill context, missing consent and data-handling warnings increase the chance of accidental purchases and privacy-impacting disclosures.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs the agent to save an encrypted card file containing decryption logic and sensitive payment material to disk without prominent warnings or secure storage requirements. Even though encrypted at rest, storing this artifact on disk increases the attack surface through file leakage, backup systems, sync tools, or later misuse once a key is obtained.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The description 'Let your agent buy things online — Amazon, Shopify, and more' is broad enough to match generic shopping or purchasing requests, which can cause the skill to activate in situations where the user did not intend a real-money transaction flow. In a payment-enabled skill, ambiguous triggering is especially risky because it can route ordinary browsing or product-comparison queries into wallet-funded purchasing actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal