ClawHub

Ghost Protocol OpenClaw Pay

Security checks across malware telemetry and agentic risk

Overview

This is a real payment integration, but it gives an agent live signer-backed payment authority with limited built-in safeguards.

Install only if you intentionally want an agent to perform real Ghost/x402 payment and settlement workflows. Use a dedicated low-balance signer, store the private key only in protected runtime secret storage, avoid CLI private-key flags, require human approval for live paid calls, cap amounts, restrict merchant URLs and Ghost base URLs in your runtime, and avoid putting sensitive payer data or secrets in settlement metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The installation guidance tells operators to provide `GHOST_SIGNER_PRIVATE_KEY` but gives no warning about secure secret storage, scope limitation, rotation, or the consequences of exposing a blockchain signing key. In a payment-signing skill, that omission is security-relevant because users may paste the key into shells, config files, logs, or shared environments, enabling unauthorized payment signing or fund loss if the key is leaked.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The quickstart instructs users to set a signer private key environment variable but provides no warning about the sensitivity of that secret, secure storage practices, or the risk of shell history, logs, screenshots, and process exposure. In a skill explicitly designed to execute real payment and escrow flows, this omission materially increases the chance of credential mishandling and subsequent wallet compromise.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The quickstart presents a live paid request command immediately after a dry-run example without a prominent warning that it may transmit prompt content to a remote merchant endpoint and initiate a real paid transaction. In the context of a payment skill that performs x402 calls and reports settlements, users could unintentionally incur charges or disclose sensitive data by copying the command verbatim.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README instructs users to supply a required signer private key for real paid calls, but it does not clearly warn that the helper performs live x402 payment/authentication interactions with external merchant and Ghost endpoints. In a payment skill context, that omission is security-relevant because users may run examples thinking they are local or low-risk, exposing signed payment material and triggering real financial actions against third-party services.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code performs real x402 paid requests to a fully user-controlled URL, method, headers, and body, with no allowlist, confirmation step, or safety interlock beyond an optional dry-run flag. In the context of a payment/escrow skill, that is more dangerous because invoking the tool can directly trigger value-bearing external interactions, enabling SSRF-like access to arbitrary endpoints and unintended paid transactions if an attacker can influence inputs.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends settlement and payer-related data, including request identifiers, payment references, payer identity, optional payer address, and metadata, to a remote telemetry endpoint without any explicit user-facing disclosure, confirmation, or minimization controls. In a payment/escrow skill, this is security-relevant because operators may unintentionally exfiltrate sensitive financial or personal data to a third-party service, especially when metadata may contain additional secrets or regulated data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal