ClawHub

Openclaw X402 Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is meant to make crypto micropayments to third-party APIs, but its automatic payment flows and wallet-key handling need careful review before use.

Install only if you are comfortable with agent-triggered USDC payments to third-party APIs. Use a dedicated low-balance wallet, avoid primary wallet keys, prefer testnet first, set strict spend limits, and do not enable MCP automatic payments unless you can verify confirmation, endpoint allowlisting, and logging of amount, recipient, network, and transmitted request data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
79% confidence
Finding
The documentation states that the skill will ask the user to confirm before proceeding when a payment exceeds the configured spend limit, but the file otherwise emphasizes autonomous execution and does not show any concrete confirmation mechanism. In a payment-capable skill, this kind of undocumented or unverifiable approval flow is dangerous because agents may charge a wallet based on inaccurate assumptions about user consent.

Intent-Code Divergence

High
Confidence
92% confidence
Finding
The MCP section claims support for both EVM and Solana, while the supported-networks section later says only Base networks are supported and Solana is merely planned. This inconsistency can cause operators or downstream agents to make incorrect assumptions about which payment rails are active, increasing the risk of failed transactions, unsafe fallbacks, or routing funds to unsupported integrations.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README documents an autonomous command pattern (`find <task> and <action>`) that is intentionally broad and can match many user requests without clear boundaries, confirmation gates, or trust checks. In the context of a skill that can discover third-party services, transmit user data, and spend USDC, this ambiguity can cause unintended external calls or paid actions from loosely phrased prompts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs users to place an EVM private key in a .env file but does not prominently warn that this is a highly sensitive wallet secret capable of authorizing spending. In a skill designed for autonomous payments, normalizing casual handling of a private key materially increases the chance of credential exposure, theft of funds, or reuse in insecure environments.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The autonomous paid-call flow describes discovering and calling third-party services without an upfront warning that user prompts, URLs, query parameters, or payloads may be transmitted externally. That omission matters because users may unknowingly send sensitive or regulated data to untrusted endpoints in the course of automated service selection and payment.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide encourages automatic payments from a configured wallet and forwarding requests to third-party paid APIs without a prominent warning about real fund spending, destination trust, or possible data disclosure. In an agent/MCP context, this can cause unintended micropayments and transmission of prompts or user-derived data to unvetted external services.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal