ClawHub

openkrill

Security checks across malware telemetry and agentic risk

Overview

This skill is mainly a micropayments helper, but it also gives agents broad paid-request authority and disposable-email inbox handling that need careful review.

Install only if you intentionally want both x402 micropayments and disposable email automation. Use a dedicated low-balance thirdweb project and wallet, set a small per-request cap manually, review every paid URL before execution, and delete or protect .agent-emails.json after use. Do not use this for important email accounts, sensitive verification links, or a broad thirdweb key tied to other funds.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documentation broadens the skill from payment handling into email-account lifecycle and verification support, which is a separate sensitive capability. This increases the chance that an agent will use the skill for identity bootstrapping or account registration without a user clearly understanding that email access is included.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The Mail.tm section gives concrete steps to create temporary email accounts, obtain tokens, list messages, and read message contents, none of which are necessary for x402 payments. In context, this enables automated account creation and interception of verification emails, expanding the skill into a credential and communications handling tool.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This reference file materially expands the skill from x402 micropayments into disposable-email account creation, token retrieval, inbox polling, and message access. That capability enables autonomous account bootstrapping and verification flows for third-party services, which is unrelated to payment handling and increases abuse potential for mass signups, evasion, and unauthorized automation.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The document provides step-by-step instructions for autonomous disposable-email creation and message retrieval, including authentication token handling and polling inboxes. In the context of an x402 payment skill, this is unjustified capability creep that facilitates automated signup, OTP capture, and account verification workflows beyond the declared purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script refuses to run unless THIRDWEB_SECRET_KEY is present even though all balance queries use hardcoded public RPC endpoints and never authenticate with thirdweb. This needlessly expands secret exposure by encouraging users or agents to provision a sensitive credential into an execution context that does not require it, increasing the chance of accidental leakage through logs, process environments, or broader skill access.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The environment documentation states that THIRDWEB_SECRET_KEY is required, but the implementation never uses that secret for any network request. In an agent skill that handles payments and wallets, misleading secret requirements are more dangerous because they train operators to supply privileged credentials unnecessarily, creating avoidable secret-handling risk without any functional benefit.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file advertises and implements disposable email creation and inbox access even though the skill is described as an x402 micropayments helper. This capability mismatch is dangerous because it enables unrelated account creation, verification interception, and message harvesting under the cover of a payments-focused skill, which is a classic indicator of hidden functionality.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This code creates disposable email accounts, authenticates to a third-party mail service, and stores credentials locally, none of which are required for x402 micropayments. In this context, the functionality can facilitate stealth signups, evasion of identity checks, and preparation for later inbox access, making the hidden capability materially risky.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script refreshes tokens and retrieves inbox contents and specific messages from Mail.tm, giving the skill the ability to read remote email. For a micropayments skill, this is unrelated and dangerous because it could be used to capture verification codes, password reset links, or other sensitive communications from accounts the agent creates or controls.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This wrapper forwards a user-supplied URL, method, and optional body to a privileged third-party payment endpoint, enabling arbitrary outbound requests rather than limiting usage to known x402-compatible destinations. In an agent context, this broad network capability can be abused to exfiltrate data, contact unintended services, or trigger paid requests to attacker-controlled endpoints while using the operator's secret key and payment context.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs storing email address, password, and token in a local JSON file without safeguards, rotation, or warning about sensitive-data handling. Local plaintext credential storage creates an avoidable risk of credential leakage, reuse, and later misuse by other tools or processes on the system.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs use of a highly sensitive `x-secret-key` in API requests but does not warn that the key must be kept server-side and never exposed to clients, logs, or browser code. In an agent-skill context, this omission can lead integrators to embed the credential in prompts, frontend code, or shared examples, causing credential theft and unauthorized payment or wallet operations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The Mail.tm workflow tells agents to store email address, password, token, and account ID, but does not provide strong safeguards for handling credentials or potentially sensitive message contents. This increases the risk of leaking bearer tokens, OTPs, verification links, or personal data through logs, local files, or unintended downstream use.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code writes email addresses, passwords, and bearer tokens to .agent-emails.json in the current working directory without access controls, encryption, or a meaningful warning. Anyone with local filesystem access, or any process that can read the workspace, could recover reusable credentials and access the associated inboxes.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends generated email credentials to the external Mail.tm API to create accounts and obtain tokens, but the skill does not clearly disclose this external transmission or its privacy implications. In an agent setting, undisclosed credential and metadata transmission to third parties can surprise users and expose account details outside the expected payment-processing boundary.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code automatically transmits request payloads plus payment-related parameters to an external service using the secret-backed payment flow, with no interactive confirmation, dry-run mode, or warning about data leaving the local environment. In an agent skill designed to make micropayments automatically, this increases the chance of unintended spending and accidental disclosure of sensitive request contents to external services.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal