ClawHub

Buy a travel eSIM - via x402 USDC Base Wallet

Security checks across malware telemetry and agentic risk

Overview

This skill appears legitimate for buying travel eSIMs, but it can involve real USDC payments and should be used with checkout-level care.

Install only if you trust the esimqr.link service and are comfortable with wallet-based purchases. Before approving any transaction, confirm mainnet versus testnet, the package, USDC amount, token contract, recipient address, and gas fee; use testnet or a limited-balance wallet for testing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation criteria are broad enough to activate on common travel or connectivity-related requests, which can route ordinary user queries into a purchase-capable skill. In this context, the skill can initiate real-money USDC payments on Base Mainnet by default, so overbroad triggering increases the risk of unintended commerce flows, confusing consent boundaries, and accidental purchases.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
Confidence
98% confidence
Finding
requests>=2.28.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
96% confidence
Finding
requests

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal