gstable-ai-payment

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed crypto payment skill, but it gives an agent broad live-wallet authority, including automatic on-chain payments and unlimited token approvals.

Install only if you intend to let an agent operate a dedicated low-balance hot wallet. Do not use a primary wallet key. Review every payment link, chain, token, recipient or executor contract, calldata, gas cost, and allowance before running `pay`, `approve`, or `execute`; prefer exact approval amounts and revoke allowances after use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill declares no permissions while the documented behavior clearly requires access to environment secrets, network connectivity, and likely external tool/runtime capabilities. This mismatch weakens host-side policy enforcement and can cause users or orchestration systems to grant execution to a skill without understanding that it can read a wallet private key and perform networked payment actions.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The skill is presented as a payment helper, but the documented command set includes powerful wallet operations beyond a narrowly scoped payment flow, including arbitrary transaction execution, balance inspection, token allowance checks, approvals, and use of a raw private key from the environment. In an agent setting, this broader-than-advertised capability materially increases the chance of unauthorized fund movement, phishing-by-prompt, or abuse of the wallet for actions unrelated to a legitimate GStable payment.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The `execute` command signs and broadcasts an arbitrary transaction to any `to_address` with attacker-controlled calldata, using the wallet private key configured for the skill. That goes beyond payment-specific behavior and effectively turns the skill into a general-purpose hot-wallet transaction relay, enabling arbitrary contract calls, token transfers, approvals, or interactions with malicious contracts if an agent or upstream service supplies untrusted parameters.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The `approve` command allows arbitrary ERC20 approvals for any token, any spender, and defaults to unlimited allowance when no amount is provided. This permits granting a malicious or incorrect spender long-lived authority over user funds completely outside a validated payment session, which is especially dangerous in an agent-operated wallet context.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The feature list advertises automatic token approval and on-chain execution without prominently warning that approvals may authorize spending and that blockchain transactions are irreversible. In practice, an agent or user could trigger approvals or transfers without appreciating the financial consequences, especially if approval defaults are broad or unlimited.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The quick-start and agent example normalize autonomous payment completion with no user-facing confirmation or warning about gas fees, irreversible transfers, or spender approvals. In an agent workflow, examples strongly shape implementation behavior, so this can lead developers to deploy unsafe default automation around a live wallet.

Missing User Warnings

High

Confidence: 99% confidence
Finding: When `amount` is omitted, the code silently sets allowance to `MAX_UINT256`, creating effectively permanent token access for the spender. In a payment skill, this is dangerous because users may expect a one-time payment authorization, but the spender could later drain approved tokens if compromised, malicious, or mistakenly specified.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The `pay` flow automatically checks allowance, may submit an approval transaction, waits for confirmation, and then broadcasts the payment transaction without any explicit pre-execution confirmation step. In an agent setting, that reduces friction at the cost of safety: if the link, executor contract, prepared calldata, or upstream API response is malicious or compromised, the wallet can be committed on-chain immediately.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal