ClawHub

度小满支付技能

Security checks across malware telemetry and agentic risk

Overview

This payment skill is review-worthy because it can create a persistent payment identity and install downloaded skills, while its install and credential handling are under-scoped.

Install only if you trust the publisher and the dxmpay workflow. Before using installSkill, verify the exact skill ID and expected provider endpoint, avoid setting SP_WEATHER_BASE unless intentionally testing a trusted endpoint, and treat the generated clawpay.json private key as a credential that should be protected or removed when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file claims the skill 'does not execute any external commands' while elsewhere instructing the runtime to invoke `node scripts/clawpay-cli.js` and `node scripts/qrcode.js`. This inconsistency can mislead reviewers and downstream skills about the trust boundary, causing them to pass data into a flow that actually shells out and performs network/file operations.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
One section says `payUrl` only needs to start with `https://`, while a later security section requires `https://www.dxmpay.com/`. Inconsistent validation requirements are dangerous because implementers may enforce the weaker rule, allowing attacker-controlled URLs to be encoded into QR codes and presented as trusted payment links.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The CLI performs full remote skill download and local installation, which materially exceeds the stated wallet/payment-link purpose of the skill. That mismatch increases the likelihood of hidden supply-chain behavior: a payment-related capability can fetch code from a remote service and place it into the local skills directory, enabling execution or persistence of untrusted content.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The custom ZIP extraction logic writes archive entries directly via path.join(destDir, fileName) without validating traversal sequences or symlinks, so a crafted archive can escape the intended extraction directory and overwrite arbitrary files. In this skill, that risk is amplified because the extracted contents are later copied into the skills workspace, making remote package delivery a direct path to filesystem compromise.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code comments and usage text state that short-link creation is opt-in and disabled by default, but the CLI actually sets enableShortUrl = true unless --long-url is passed. This mismatch can cause unexpected outbound network requests and disclosure of payment URLs to the remote shortening endpoint, which is a real security/privacy issue because operators may rely on the documented safer behavior.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The direct-user triggers include broad phrases like '我要充值' and '怎么付款', which can overlap with ordinary conversation and unintentionally route users into a payment/install flow. In a payment-related skill, accidental invocation increases the chance of social engineering, unwanted purchase prompts, or confusing users into trusting generated payment artifacts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code stores the generated private key and registration metadata in clawpay.json on disk without setting restrictive file permissions or warning the user. If another local user, process, backup system, or malware can read that file, the key can be stolen and used to impersonate the client in signed requests.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The program downloads a remote archive, extracts it, and copies its contents into the local skills directory without an explicit warning or confirmation. In the context of a payment-wallet skill, silent local modification is especially dangerous because users do not reasonably expect code installation behavior, making social engineering and supply-chain abuse more likely.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal