ClawHub

HyperNatt BTC Signal (x402)

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed paid HTTP client for a BTC/USDC signal endpoint, with no evidence of hidden persistence, local data harvesting, trade execution, or destructive behavior.

Install only if you intend to make paid x402 requests for this signal. Keep X402_PAYMENT_B64 scoped and short-lived if possible, leave HYPERNATT_SIGNAL_URL unset or set only to https://hypernatt.com/api/m2m/signal, and verify the publisher/source before relying on financial data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Tainted flow: 'req' from os.environ.get (line 46, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
req = urllib.request.Request(SIGNAL_URL, headers=headers, method="GET")
    try:
        with urllib.request.urlopen(req, timeout=20) as resp:
            body = resp.read().decode("utf-8")
            payload = json.loads(body)
            return {"status": resp.status, "data": summarize(payload)}
Confidence
93% confidence
Finding
with urllib.request.urlopen(req, timeout=20) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares no permissions in its manifest-like metadata, yet the description explicitly indicates use of environment variables and outbound network access via handler code. This mismatch can mislead users and reviewers about the skill’s actual capabilities, reducing transparency and making it easier for a skill to access local secrets or contact external services without informed approval. In this context, the skill is payment-enabled and fetches remote data, so undeclared env/network access is more concerning than for a purely local static skill.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code automatically reads a payment credential from an environment variable and sends it to a remote endpoint without any explicit confirmation, destination allowlisting, or user-facing warning at send time. Because the URL is also overrideable via an environment variable, a misconfiguration or malicious runtime environment could cause the credential to be transmitted to an attacker-controlled host, resulting in credential/payment-token leakage or unauthorized billing.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The code automatically transmits payment-related headers to the remote endpoint with no explicit user confirmation, destination verification, or visible disclosure at the point of use. In this skill's context, that is more dangerous because the skill is marketed as read-only JSON, yet it can still send a bearer-like payment artifact to a server, and if the URL is overridden those credentials could be exposed to an attacker-controlled endpoint.

VirusTotal

2/64 vendors flagged this skill as malicious, and 62/64 flagged it as clean.

View on VirusTotal