ClawHub

x402 Singularity Layer

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent and not deceptive, but it can spend funds, sign blockchain transactions, and change account resources with limited built-in confirmation.

Install only if you intend to let the agent handle crypto payment and endpoint-management workflows. Use low-balance or delegated wallets, scoped API keys/PATs, and trusted API base URLs; avoid running these scripts in logged CI or shared terminals; manually review any spending, registration, endpoint deletion, webhook secret, or XMTP revocation action before execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (17)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
checksum_wallet = Web3.to_checksum_address(wallet_address)
    checksum_contract = Web3.to_checksum_address(contract_address)
    contract = w3.eth.contract(address=checksum_contract, abi=abi)
    contract_fn = getattr(contract.functions, function_name)(*args)

    nonce = w3.eth.get_transaction_count(checksum_wallet)
    tx: Dict[str, Any] = {
Confidence
87% confidence
Finding
contract_fn = getattr(contract.functions, function_name)(*args)

Tainted flow: 'result' from requests.get (line 284, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
filename = "downloaded_product"
        print(f"\nDownloading file to: {filename}")
        
        file_response = requests.get(result["downloadUrl"])
        if file_response.status_code == 200:
            with open(filename, "wb") as f:
                f.write(file_response.content)
Confidence
97% confidence
Finding
file_response = requests.get(result["downloadUrl"])

Tainted flow: 'url' from os.getenv (line 44, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
else:
        body["agentId"] = agent_id

    response = requests.post(
        url,
        json=body,
        headers={
Confidence
94% confidence
Finding
response = requests.post( url, json=body, headers={ "Content-Type": "application/json", "X-API-Key": api_key, }, timeout=90, )

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill explicitly states that endpoint creation returns both a public gateway URL and an API key, but it does not warn that the gateway is publicly reachable or that the API key is a sensitive credential for management/origin verification. In this context, users may inadvertently expose internal services or mishandle the issued key, leading to unauthorized access, endpoint abuse, or accidental publication of monetized APIs.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The auto-detect schema feature describes probing common documentation paths on the origin and importing discovered specs, but omits a privacy and exposure warning. This can cause operators to unintentionally reveal internal API structure or trigger requests against endpoints they did not expect the platform to probe, increasing information disclosure risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example code directly demonstrates local private-key use to sign payment authorizations, but it does not include safeguards around secret handling, scope limitation, testnet use, wallet isolation, or user consent before authorizing value transfer. In this skill’s context, that omission is more dangerous than generic crypto sample code because the documented flow is specifically intended to authorize real payments to external endpoints, increasing the chance that users copy unsafe patterns into production or expose hot-wallet credentials.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document explicitly requires highly sensitive secrets such as `PRIVATE_KEY` and an optional support token, but provides no warning about secure storage, non-disclosure, least-privilege use, or avoiding logging/pasting them into chats. In an agent skill context, this is dangerous because operators may supply wallet private keys directly to automation without understanding the risk, which can lead to wallet compromise, unauthorized signing, and loss of funds or account control.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The script transmits the user's wallet address to a third-party API without any explicit user-facing disclosure beyond the source code behavior. Although wallet addresses are generally public blockchain identifiers, they are still sensitive from a privacy perspective because they can link a user's on-chain activity and service usage.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The script prints the full wallet address to stdout, which can leak a user's on-chain identity into terminal history, logs, CI output, or support transcripts. In this skill's context, wallet addresses are central identifiers across payment, reputation, and marketplace operations, so exposing them can increase privacy and correlation risk.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The run subcommand is an unrestricted passthrough to the OWS CLI, allowing an agent or user to invoke arbitrary OWS operations including wallet creation, signing, key management, and potentially networked or state-changing actions. In the context of an agent skill that may be used with privileged wallets and API credentials, this broad capability increases the chance of unintended signing, asset movement, secret exposure through stdout/stderr, or other owner-scoped operations without meaningful guardrails.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This script transmits both an `X-Payment` token and the user's Solana wallet address to whatever `endpoint_url` the operator provides, but it does not present a clear consent prompt or destination summary before sending those identifiers. In a wallet/payment skill, this is more sensitive than usual because users may be induced to contact an attacker-controlled endpoint and disclose reusable payment metadata or wallet identity without realizing it.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code can immediately trigger a real credit purchase after obtaining a 402 challenge, without any explicit confirmation, dry-run step, or clear spend summary presented to the user at the point of execution. In an agent skill context that handles wallets and payment headers, this increases the risk of unintended or unauthorized spending if an agent selects this runbook based on ambiguous user input or malicious prompt manipulation.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The script automatically uses PRIVATE_KEY and WALLET_ADDRESS to sign and submit live blockchain transactions without any confirmation prompt, dry-run preview, or explicit acknowledgement of cost and effect. In an agent skill context, this increases the risk of unintended or silently triggered on-chain actions when the skill is called programmatically.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The Solana path signs and submits a prepared transaction from a remote API using local signing keys and an extra generated signer, but does not present the transaction contents for review or require user confirmation. If the prepared payload is malicious or unexpected, the script may authorize unintended on-chain state changes under the operator's wallet.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script performs a paid, state-changing top-up operation immediately from command-line arguments, including building and submitting payment after a 402 challenge, without any explicit confirmation step or strong warning about spending funds. In an agent-skill context, that increases the chance of accidental or prompt-induced financial actions using available credentials or signing capability.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The `revoke-others` command performs an irreversible, account-scoped action that revokes all other XMTP installations without any confirmation prompt, dry-run, or explicit acknowledgement. In a wallet- and messaging-admin skill like this one, accidental invocation by an agent, script, or operator could immediately disrupt access on other devices and cause loss of session continuity or operational availability.

External Transmission

Medium
Category
Data Exfiltration
Content
if response.status_code in (200, 201):
        result = response.json()
        print("\nEndpoint created")
        print(f"URL: https://api.x402layer.cc/e/{slug}")
        if "endpoint" in result and "api_key" in result["endpoint"]:
            print("API Key returned. You must validate x-api-key at your origin.")
        if "webhook" in result:
Confidence
91% confidence
Finding
https://api.x402layer.cc/

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal