ClawHub

AI-native Bitcoin payments. Buy, sell, send, and request Bitcoin directly through any existing messenger app (Telegram, WhatsApp, Signal, Email) or create your own email accounts to start messaging via email.

Security checks across malware telemetry and agentic risk

Overview

This is a real Bit-Chat payment and mailbox skill, but it gives an agent broad financial, account-creation, mailbox-reading, and recurring-check authority without enough user-control boundaries.

Install only if you are comfortable with an agent creating or using a Bit-Chat mailbox, storing mailbox credentials, polling email, contacting Bit-Chat over external channels, and handling Bitcoin-related instructions. Before use, require explicit approval for setup, recurring polling, credential storage, remote-instruction updates, and every payment, purchase, sale, bank-detail message, or recipient change.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The heartbeat materially expands the skill from payment-rail interactions into recurring mailbox surveillance and outbound health checks across multiple channels. That broadens the agent’s authority and data access beyond the stated purpose, increasing the chance of unauthorized message review, unintended external communications, and abuse of the agent as a monitoring bot.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Telling the agent to save new operational information to local notes or secret metadata creates a persistence path for credentials, payment details, contact data, or message contents without clear necessity or safeguards. Persistent storage of such data increases exposure if the agent memory, logs, or notes are later accessed by other tools, users, or compromised components.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to read unread mail and inspect full message bodies, including potentially important messages with vague subjects, but provides no privacy notice, minimization guidance, or user-consent boundary. That creates a real risk of over-collection of personal or financial content from the mailbox, especially because the skill is framed as a payment tool and may encounter sensitive transaction data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instruction to save operational information to local notes or secret metadata lacks any warning that sensitive information may be persistently retained. Without disclosure and storage controls, the agent may silently accumulate mailbox-derived or payment-related data in long-lived memory, magnifying confidentiality and compliance risk.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to automatically perform first-run actions on installation, including creating an account and contacting an external service, without requiring explicit user confirmation. This can trigger unintended external communications and side effects immediately upon install, which is risky for agent environments where installation should not imply consent to act.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill directs automatic mailbox creation, outbound contact to Bit-Chat, forwarding data to the human, and persistence of the Lightning address in local state, but does not provide a clear up-front warning or consent boundary for these behaviors. In practice, this can disclose identifiers, create external accounts, and store payment-related data without informed user approval, increasing privacy, operational, and financial risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal