PayPal

Security checks across malware telemetry and agentic risk

Overview

This PayPal skill is an instruction-only integration guide with payment-impacting examples that are disclosed and aligned with its purpose.

Install this only if you want PayPal integration help. Use sandbox first, keep PayPal client secrets out of code and logs, and manually review any generated capture, refund, subscription, webhook, or dispute-handling code before connecting production credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill description promises webhook verification, OAuth handling, and security validation, but the examples omit webhook signature verification and other security controls. For a payment integration, this omission is dangerous because users may implement the examples as-is and trust payment events or state transitions without cryptographic verification, enabling spoofed webhooks or incorrect fulfillment flows.

External Transmission

Medium

Category: Data Exfiltration
Content: const token = await getToken(); const body = amount ? { amount: { value: amount, currency_code: 'USD' } } : {}; return fetch(`https://api.paypal.com/v2/payments/captures/${captureId}/refund`, { method: 'POST', headers: { 'Authorization': `Bearer ${token}`, 'Content-Type': 'application/json' }, body: JSON.stringify(body)
Confidence: 78% confidence
Finding: https://api.paypal.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal