ClawHub

FluxA Agent Wallet for x402 Resources Payment

Security checks across malware telemetry and agentic risk

Overview

This payment skill is mostly coherent, but it ships extra wallet-transfer capability and persistent wallet credentials that are not clearly scoped in the user-facing instructions.

Install only if you trust FluxA and the publisher with delegated payment authority. Use small task-specific budgets, verify the exact endpoint and payment payload before spending, avoid using the payout command unless you explicitly intend a transfer, and treat ~/.fluxa-ai-wallet-mcp/config.json as sensitive wallet credential material that should be protected or removed when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs the agent to run CLI commands that interact with external services and potentially use environment-backed credentials, yet the skill declares no explicit permissions. This mismatch is dangerous because it can cause operators or policy layers to underestimate the skill's ability to access network resources and sensitive wallet/auth context, reducing transparency and reviewability.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose focuses on budget requests and x402 payments, but the associated behavior reportedly includes identity registration, local credential/JWT storage, token refresh, and blockchain payouts. That broader functionality materially increases the attack surface: hidden auth handling and payout features can enable unauthorized fund movement or credential exposure if invoked without clear user understanding and consent.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The file implements `createPayout` and `getPayoutStatus`, enabling direct value transfer operations that go beyond the described budget/x402 payment flow. In an agent skill, exposing payout primitives materially expands the skill’s authority and abuse potential, because a compromised or mis-prompted agent could trigger outbound transfers rather than only generate payment headers for constrained paid API access.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The CLI help text advertises standalone `payout` and `payout-status` commands that are not reflected in the stated skill purpose of budget requests, x402 signing, and paid endpoint calls. This mismatch is dangerous because operators may trust the manifest description while the shipped tool exposes broader money-moving functionality, increasing the chance of accidental or unauthorized use.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
`saveAgentId` persists the agent ID, token, and JWT in plaintext under a predictable directory in the user's home folder, with no warning, encryption, or permission hardening. These credentials authorize wallet actions, so local compromise, multi-user access, backups, or accidental disclosure could let an attacker impersonate the agent and initiate payments or payouts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The `payout` command performs an outbound wallet transfer based only on command-line parameters and a valid JWT, with no interactive confirmation, recipient allowlist, secondary authorization, or risk checks. In an autonomous-agent setting, this is especially dangerous because prompt injection, workflow mistakes, or compromised orchestration can directly cause irreversible fund transfers to attacker-controlled addresses.

External Transmission

Medium
Category
Data Exfiltration
Content
# Get `data.xPaymentB64` from response as PAYMENT_MANDATE
# This PAYMENT_MANDATE is sent to the server via the **X-Payment HTTP header** to complete the payment.
curl -H "X-PAYMENT: $PAYMENT_MANDATE" https://api.example.com/paid-endpoint

```
Confidence
87% confidence
Finding
https://api.example.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal