ClawHub

Pay Bills

Security checks across malware telemetry and agentic risk

Overview

This bill-payment skill is mostly coherent, but it persists and prints account session tokens while enabling wallet-funded purchases and account changes.

Review carefully before installing. Use this only if you trust the publisher and are comfortable letting an agent handle bill-payment authentication and wallet-funded actions. Avoid shared machines, do not share logs or transcripts containing command output, clear the saved session token after use, and require explicit confirmation of recipient, plan, amount, and balance before any purchase or account mutation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The documented behavior is misleading because the tool is presented as a login-status helper, yet its commands also reveal the raw session token. In an agent or automation context, users may invoke check/load expecting harmless status output, causing credentials to be exposed into logs, transcripts, shell history, or downstream tools.

Missing User Warnings

High
Confidence
99% confidence
Finding
The save path echoes the provided session token back to stdout in JSON, which unnecessarily discloses a live credential at the moment it is handled. Stdout is commonly captured by agent frameworks, CI logs, terminal recording, and other integrations, turning a local credential helper into a credential exfiltration point.

Missing User Warnings

High
Confidence
99% confidence
Finding
The `load` command prints the stored session token directly to stdout, exposing the credential to any process, user, or logging layer that can observe command output. Because session tokens often grant authenticated access without additional factors, disclosure can lead to account/session hijacking.

Missing User Warnings

High
Confidence
99% confidence
Finding
The `check` command includes the session token in login-status JSON, which violates the principle of least exposure because a status check should not reveal credentials. This is especially dangerous in skill/agent contexts where status commands may be called automatically and their outputs retained in logs or shared with other components.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs saving a live session token to a local `.session_token` file and reusing it for authenticated requests, but provides no safeguards for secure storage, file permissions, encryption, rotation, or user consent. Because this token grants account access to balance, profile, contacts, transactions, and purchasing actions, local compromise or accidental leakage could enable unauthorized account use.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The auth flow has the agent collect and transmit highly sensitive data including phone number, OTPs, PINs, email verification codes, and session tokens, yet the skill includes no privacy boundary, masking guidance, secret-handling instructions, or warning about retaining or exposing these values in logs or chat history. In an agent setting, this meaningfully increases the risk of credential capture, replay, account takeover, and privacy violations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal