ClawHub

AgentXPay

Security checks across malware telemetry and agentic risk

Overview

This is a real blockchain payment skill, but it gives an agent broad ability to spend funds and call external URLs without strong built-in approval or allowlist controls.

Install only if you intend to give an agent a funded blockchain key. Use a testnet or low-balance wallet first, require human confirmation before every payment, transfer, subscription, escrow, or authorization change, set strict spend limits, and restrict allowed service endpoints. Do not send sensitive prompts, secrets, or headers to untrusted provider URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The payAndCall method accepts an arbitrary URL and forwards user-controlled method, headers, and body while enabling autoPayment. In a payment-enabled agent skill, this creates an SSRF and unintended-payment surface where an agent or prompt-controlled input can exfiltrate data to arbitrary endpoints or trigger paid requests outside the intended service discovery flow.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Exposing the raw AgentXPayClient bypasses the safety boundaries implied by the skill interface and allows callers to invoke advanced SDK capabilities not reviewed here. In practice, this undermines any restrictions implemented in wrapper methods and can enable unauthorized payments, wallet operations, or network interactions through less controlled paths.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README advertises autonomous on-chain payments, wallet management, subscriptions, and escrow features but does not warn users that these actions can move funds, create recurring obligations, or expose wallets to financial loss. In an agent skill context, that omission is dangerous because operators may enable or invoke the skill without understanding that it can trigger real blockchain transactions and persistent spending behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly promotes autonomous service discovery, on-chain payments, wallet management, and subscriptions, but provides no warning that these actions can spend funds, create persistent subscriptions, or have irreversible blockchain effects. In an agent skill context, this omission materially increases the risk that integrators or end users enable financially sensitive actions without appropriate confirmation, limits, or monitoring.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The tool list includes payment, wallet, subscription, and escrow capabilities but does not warn users that invoking these tools may trigger real blockchain transactions, lock funds, or create recurring financial obligations. Because the README presents these operations as normal agent abilities, the context makes the omission more dangerous by encouraging direct automation of high-impact financial actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The recommended one-step flow explicitly tells the agent to use `agentxpay_smart_call`, which performs service discovery, selection, payment, and invocation automatically, but does not require an explicit confirmation step at the point of use. In a payment-enabled blockchain skill, this creates a real risk of unintended monetary loss, especially if a prompt, service response, or agent misinterpretation triggers an external paid call without the user's informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code sends user-provided request data to a caller-supplied URL with no disclosure, restriction, or destination validation. In an agent setting, this can leak prompts, secrets, headers, or internal context to attacker-controlled hosts and is especially dangerous because the same method also supports automatic payment behavior.

Missing User Warnings

High
Confidence
96% confidence
Finding
The fund action performs a direct blockchain transfer from the configured signer to an arbitrary wallet address based on parameters alone. In an autonomous agent context, lack of an explicit confirmation or policy gate can lead to irreversible loss of funds from prompt injection, tool misuse, or compromised orchestration logic.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Authorizing an agent changes wallet permissions on-chain and may grant ongoing spending capability. Although the code checks that the caller is the wallet owner, it still performs a sensitive authorization change directly from method parameters without an explicit approval workflow or recipient validation.

Missing User Warnings

Medium
Confidence
72% confidence
Finding
Revoking an agent is a sensitive permission change but it reduces access rather than granting or spending funds. The absence of confirmation is less dangerous than the authorization path, though unexpected revocations could still disrupt service or lock out legitimate automation.

Missing User Warnings

High
Confidence
97% confidence
Finding
The pay action executes an on-chain payment through a wallet after only local authorization, allowance, and balance checks. Because blockchain payments are irreversible and parameter-driven, an attacker controlling tool inputs or agent behavior could drain budget within configured limits or pay unintended services without any explicit user consent step.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The subscribeService method purchases a subscription immediately after selecting a plan, which can commit funds and recurring access decisions without a confirmation boundary. In an agent setting, this can be abused to subscribe to unintended services or more expensive plans than expected.

Missing User Warnings

High
Confidence
95% confidence
Finding
Creating escrow locks funds on-chain until release or expiry, which is a high-impact financial action. Performing it directly from parameters without an approval or policy gate makes the skill susceptible to prompt-driven misuse, fund immobilization, and disputes involving malicious or incorrect counterparties.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The tool schema explicitly advertises that a 402 response will trigger automatic on-chain payment and request retry, but it exposes no parameter or warning for user approval, spend caps, allowlists, or confirmation. In an agent setting, this can cause unauthorized or unintended spending against arbitrary endpoints, especially if prompts or upstream tools influence the URL.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This schema combines sensitive wallet operations such as funding, payments, limit changes, and agent authorization into one tool without surfacing explicit safety controls or confirmation requirements. Those actions can directly move funds or expand spending authority, so an agent mistake, prompt injection, or malicious workflow could lead to loss of assets or persistent wallet compromise.

Missing User Warnings

Low
Confidence
87% confidence
Finding
Automatically selecting the first subscription plan when planId is omitted can enroll the user in a recurring on-chain payment arrangement without clear intent or review of plan terms. In a payment-oriented skill, subscriptions are especially sensitive because they may create ongoing financial commitments rather than a one-time charge.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The escrow tool states that funds are locked until completion or deadline, but the schema does not emphasize this risk or require additional acknowledgment before locking assets on-chain. That can cause unintended liquidity loss or disputes if the agent chooses an unsuitable deadline or service without user review.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This tool combines discovery, provider selection, payment, and service invocation in a single step, removing important review points before money is spent and data is sent to a third-party endpoint. In this skill's blockchain payment context, that increases the chance of paying an unintended or malicious service and amplifies prompt-injection or selection-manipulation risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal