ClawHub

Near Getpay - Accept crypto payments with payment page using PingPay or HOT PAY

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it advertises, but it also includes under-disclosed crypto payment execution paths and unsafe credential/public-server guidance that users should review carefully.

Install only if you are comfortable running a local payment server that becomes publicly reachable. Put API keys in a local .env or secret store, not in chat; verify the real payment recipient in PingPay/HOT PAY; remove or separately review the invoice-paying NEAR Intents code before use; and do not rely on the advertised webhook signature protection unless you add actual verification.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The README explicitly tells the user to send a live PingPay API key to the agent, which normalizes disclosure of a production secret to an automated system. That creates a clear secret-handling risk: the key may be logged, retained in conversation history, exposed to other tools, or misused to create or manipulate payment sessions beyond the narrow need of hosting a payment page.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill performs token swap and cross-chain bridge operations by dynamically importing and invoking another skill, which materially exceeds a simple payment-page integration. This expands the trust boundary and enables high-value asset movements without tight restriction of destination, chain path, or imported module source, making accidental or unauthorized fund movement more dangerous in this context.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The webhook endpoint accepts arbitrary POSTs and processes/logs the full payload without any authentication, signature verification, or source validation. In a payment skill, this is risky because attackers can spoof payment events, poison logs, and create false operational signals about successful payments.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script exposes a local payment server by creating a generic SSH reverse tunnel to a public hostname, which is materially broader behavior than the declared payment integration purpose. In a payments context, silently publishing a locally hosted service can expose administrative endpoints, debug routes, or sensitive transaction flows to the internet and mislead operators about the trust boundary.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Spawning external commands such as `npx ts-node` and `ssh -R` expands the attack surface beyond a simple payment-page helper, because it executes toolchain and networking components from the host environment and opens an externally reachable channel. If the local server is insecure or the runtime environment is manipulated, this can lead to unintended code execution paths, data exposure, or unauthorized remote access to the payment workflow.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The example trigger phrase "Create a payment page for me" is broad and overlaps with natural conversation, increasing the chance the skill could be invoked unintentionally in agent environments that use loose phrase matching. In a payment-related skill, accidental activation can lead to unwanted setup actions, public URL exposure, or requests for sensitive configuration.

Missing User Warnings

High
Confidence
99% confidence
Finding
The README encourages users to share a live API key with the agent and provides no warning that secrets should never be pasted into ordinary chat. In agent ecosystems, chat content is commonly logged, inspected, or forwarded to tools, so this guidance materially increases the likelihood of credential compromise.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions tell the user to share a PingPay API key with the agent without emphasizing that the key is a sensitive credential. Encouraging direct disclosure of live API secrets to an agent increases the risk of credential theft, misuse, logging exposure, or accidental reuse outside the intended purpose.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The payment path executes a swap and then a bridge as part of paying an invoice, but there is no explicit in-code confirmation, review screen, or transaction risk acknowledgment before initiating these high-impact operations. In a skill context that may be invoked programmatically, this increases the chance of users triggering irreversible asset transfers without understanding the full effect.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The payInvoice method performs a real payment flow—fetching an invoice, executing a swap/bridge via the provided executor, and submitting payment proof—without any built-in user confirmation gate, consent callback, or prominent warning in its API contract. In an agent skill context, this increases the risk of unintended or prompt-induced fund movement because a caller can invoke the method directly with attacker-chosen invoice details and recipient address derived from the invoice.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The testConnection method performs a real POST request to create a live checkout session using the supplied API key, which can create externally visible payment objects and consume production resources without clear caller disclosure. In an agent-skill context, a seemingly harmless 'test' action may be invoked automatically or by users who do not expect a state-changing network operation, increasing the risk of unintended session creation and credential use.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The handler prints the complete incoming payment payload to logs, which may expose transaction identifiers, memos, amounts, and other payment metadata to anyone with log access. Even if the payload is not directly secret, excessive logging increases privacy risk and can aid replay, correlation, or operational data leakage.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The backend creates payment checkout sessions from unauthenticated client input with no CSRF protection, origin validation, or rate limiting. An attacker can induce a victim browser or automated traffic to generate arbitrary numbers of external payment sessions, causing abuse of the payment API, operational noise, and possible quota or billing impact.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script automatically creates a public internet-facing tunnel to `localhost:3000` without a clear security warning or meaningful consent about the exposure of a local payment server. In the context of handling crypto payments, this is especially dangerous because users may unknowingly expose payment pages, callbacks, test endpoints, or local-only functionality to attackers scanning public tunnel domains.

Ssd 3

High
Confidence
99% confidence
Finding
The sample conversation directly instructs the user to provide a live API key to the agent, which is unsafe operational guidance for a payment-processing integration. Because the skill handles payment setup and public exposure of payment URLs, compromised credentials could allow unauthorized session creation, account misuse, or access to payment-related metadata.

Ssd 3

Medium
Confidence
98% confidence
Finding
The example conversation explicitly normalizes sending a live API key to the agent and then proceeding to run the service. This creates a dangerous pattern for users and can lead to compromise if chat logs, memory, telemetry, or downstream tools retain the credential.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal