Back to skill

Security audit

Clawtip Skill

Security checks across malware telemetry and agentic risk

Overview

This payment skill is coherent with its stated purpose, but it needs Review because it can trigger real wallet debits through other skills without a clear user confirmation step and can redirect payment requests via an environment variable.

Review carefully before installing. This skill may perform real wallet charges, send order identifiers to a payment backend, and write payment credentials into local OpenClaw order files. Install only if you trust the publisher and backend, use the sandbox variant for testing, and avoid setting CLAWTIP_SERVER_URL to any untrusted server.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Tainted flow: 'req' from os.environ.get (line 80, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
headers={"Content-Type": "application/json"},
            method="POST"
        )
        with urllib.request.urlopen(req, timeout=30) as resp:
            response_data = json.loads(resp.read().decode("utf-8"))
    except urllib.error.HTTPError as e:
        try:
Confidence
93% confidence
Finding
with urllib.request.urlopen(req, timeout=30) as resp:

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The skill instructs the agent to execute a local Python script to perform payment, but the manifest only declares credential/filesystem/network permissions and does not disclose code execution as part of the skill’s behavior. This creates a trust gap: a caller expecting a declarative payment skill may instead trigger arbitrary local code with access to sensitive payment context and filesystem state.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The skill description does not clearly warn that using it can trigger real wallet debits and modify local order files by writing payment credentials. In a payment context, insufficient disclosure can cause unintended financial actions or silent persistence of sensitive transaction artifacts, especially when invoked indirectly by other skills.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.