ClawHub

FluxA-agent-wallet

Security checks across malware telemetry and agentic risk

Overview

This wallet skill is not proven malicious, but it needs Review because it can move funds, store and reuse spending approvals, reveal payment card details, and set up recurring unpinned wallet checks.

Install only if you trust FluxA and intentionally want an agent to have payment authority. Pin the CLI version instead of using @latest, skip scheduled checks unless you explicitly want recurring wallet monitoring, keep mandates narrow and short-lived, verify every recipient and amount before signing, protect ~/.fluxa-ai-wallet-mcp, avoid revealing card details in chat, and treat agent tokens, JWTs, payer emails, and wallet records as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (23)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file instructs the agent to perform broad social-network behaviors such as registering, posting, following accounts, and claiming red-packets, which extend well beyond the wallet skill’s stated payment-focused purpose. In a wallet-enabled skill, this scope expansion is dangerous because it can drive the agent into externally hosted, loosely bounded workflows that may trigger financial actions or social-engineering outcomes without clear user intent or authorization boundaries.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The scheduled task expands beyond core wallet operations to fetch and summarize content from external announcement and social-feed endpoints. In a scheduled, potentially unattended context, this increases attack surface for prompt injection, irrelevant data exfiltration, and unwanted network activity that is not strictly necessary for wallet management.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This guide repurposes a wallet/payment skill into a media-generation orchestrator by instructing it to discover and call image/video APIs. In a wallet-capable agent, that scope expansion is dangerous because it enables spending and third-party data transfer for actions outside the declared payment-focused purpose, increasing the chance of unauthorized or unexpected paid activity.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The documented behavior materially expands the skill from handling payments to selecting, invoking, and coordinating third-party content-generation services. That is a risky privilege broadening in the context of a wallet-enabled skill, because the same component that can move funds is now also deciding what external services to buy and what prompts/data to send.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This documentation introduces a capability to mint verifiable credentials for third-party identity, SSO handoff, account binding, and webhook authentication, which is outside the stated wallet skill scope of payment-related actions. In an agentic environment, expanding a payment wallet skill into general-purpose identity assertion increases privilege surface and can enable unintended cross-service authentication flows that users and policy systems may not expect.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The documented ability to issue third-party authentication credentials using the same signing key as the login token materially broadens what this skill can do beyond payments. Even though the document states FluxA endpoints reject `typ: agent-vc`, the credential can still be trusted by external services, creating an identity delegation channel not covered by the manifest-described purpose.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The guidance explicitly recommends using the skill for external SSO, account binding, and webhook authentication, confirming real intended usage beyond the declared payment-wallet scope. That mismatch is dangerous because agent platforms and users may grant this skill based on a narrow payment trust model while it can actually facilitate external identity assertions to arbitrary third parties.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documentation explicitly instructs the agent to run a local `open` command on an authorization URL. Launching local applications or browsers from skill instructions crosses a host-action boundary and can be abused for phishing, unexpected UI interactions, or opening attacker-controlled URLs if the authorization URL is tampered with or not strongly validated.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation describes transferring funds to friends, creating a watch-only URL, following accounts, and claiming red-packets without any warning about financial loss, privacy exposure, or the need for explicit confirmation. In the context of an agent wallet, omitting these safeguards is risky because the agent may expose wallet activity or initiate financially meaningful actions based on ambiguous social prompts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide instructs users to save returned `agent_id`, `token`, and `jwt` but does not identify `token` and `jwt` as sensitive secrets or provide handling requirements. In a wallet/payment integration, this omission can lead to credentials being stored in source control, logs, shared docs, or insecure local files, enabling unauthorized payment-link creation or impersonation if leaked.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The policy explicitly instructs the agent to read and persist mandate data in a local file across conversations, but it does not require any user notice, consent, minimization, or retention controls for this payment-related state. In a wallet skill, cross-conversation storage of mandate IDs, scopes, limits, and validity periods can expose sensitive financial metadata and enable unintended reuse of prior approvals if another task or prompt accesses the same local state.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation explicitly shows `received-records` output containing `payerEmail`, which is personally identifiable information, but provides no guidance on minimization, redaction, access control, retention, or safe display/logging. In an agent-wallet context, agents may automatically ingest, summarize, store, or retransmit CLI output, increasing the chance of unintended disclosure of payer data to users, logs, downstream tools, or other agents.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instructions direct the agent to read wallet transaction records and fetch remote URLs without clearly warning the user that sensitive financial metadata will be processed and that outbound network requests will occur. For a scheduled task, this is risky because it may repeatedly access private wallet history and external content without ongoing, informed user awareness.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The task persists a local check-in file containing announcement dates and recent summaries, but the instructions do not clearly disclose that this state will be written and retained. Even if the retained data is limited, summaries of wallet activity can contain sensitive financial context and create an unexpected local privacy footprint.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill’s activation language is overly broad for a wallet that can initiate payments, transfers, card issuance, and identity assertions. A generic instruction to use the tool for 'payment-related actions' increases the chance an agent invokes it on ambiguous user requests without first establishing explicit user intent, amount, recipient, and authorization boundaries.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The repeated broad activation guidance reinforces use of a highly sensitive financial skill in loosely defined contexts. Because this skill can trigger wallet linking, mandate creation, payouts, and x402 payments, imprecise invocation logic materially raises the risk of unnecessary exposure of wallet state or accidental progression toward spending actions.

Missing User Warnings

High
Confidence
90% confidence
Finding
The skill handles highly sensitive financial operations and stores credentials locally, but the user-facing setup flow does not prominently warn about the risks of wallet linkage, local credential storage, payment authorization, and downstream fund movement. In a financial context, lack of clear warnings can mislead users and downstream agents into treating setup as routine rather than security-sensitive.

Missing User Warnings

High
Confidence
97% confidence
Finding
The command reference exposes a capability to reveal full prepaid card details, including PAN, CVV, and expiry, without an equally prominent warning that this data is extremely sensitive. In an agent setting, this creates a severe risk of accidental display, logging, prompt leakage, transcript retention, or disclosure to third-party tools and services.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documented flow instructs an agent to create a mandate, obtain a signature, and submit an x402 payment that results in a real onchain USDC transfer, but it does not explicitly warn that funds will be moved irreversibly. In an agent-wallet context, this omission is dangerous because an agent or operator may treat the sequence as a routine API call rather than a spend action requiring heightened confirmation and recipient/amount verification.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions tell the agent to request a budget and then handle payment for external API calls, but they do not require clear disclosure of total cost, vendor identity, what data/prompts will be sent externally, or confirmation immediately before charging. In a wallet context, this can lead to surprising charges, weak informed consent, and unintended disclosure of user-related inputs to third-party services.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The document describes autonomous payments within a pre-approved mandate but does not prominently warn about financial consequences, repeated charges, spending windows, or the risk of repeated API calls consuming budget. In an agent wallet context, omission of explicit user-facing spend warnings increases the chance of unintended financial loss even if mandates technically bound spending.

Self-Modification

High
Category
Rogue Agent
Content
| **Charge Agent** | Receive payments from agents via Payment Link + x402 | [INTEGRATION-GUIDE-CHARGE-AGENT.md](INTEGRATION-GUIDE-CHARGE-AGENT.md) |
| **Payout to External Wallet** | Send USDC to any Base chain wallet address | [INTEGRATION-GUIDE-PAYOUT.md](INTEGRATION-GUIDE-PAYOUT.md) |

## Troubleshooting — Update Skill & CLI

If you encounter persistent errors during payment or other operations that you cannot resolve, the skill or CLI version may be outdated. Update from:
Confidence
92% confidence
Finding
Update Skill

Session Persistence

Medium
Category
Rogue Agent
Content
**MUST** follow when working with intent mandates:

1. **Plan by task intent, not by API call.** Assess the full task before creating a mandate — estimate total cost across all steps, create one mandate for the whole workflow.
2. **Check for reusable mandates first.** Before creating a new mandate, check both the current conversation context and `~/.fluxa-ai-wallet-mcp/mandates.json` for existing signed, unexpired mandates that fit.

Full planning rules, task classification, and state file schema: [MANDATE-PLANNING.md](MANDATE-PLANNING.md)
Confidence
88% confidence
Finding
create one mandate for the whole workflow. 2. **Check for reusable mandates first.** Before creating a new mandate, check both the current conversation context and `~/.fluxa-ai-wallet-mcp

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal