ClawHub

Proxy Gateway X402

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed pay-per-use proxy, but it combines arbitrary traffic forwarding with wallet-payment automation and weak safety controls that users should review carefully before installing.

Install only if you intentionally want a third-party or self-hosted proxy that can see proxied URLs, headers, bodies, and responses. Do not send real bearer tokens, passwords, private keys, personal data, or internal network URLs through the hosted service. If testing payments, use a dedicated low-balance wallet, avoid exposing USER_EVM_PRIVATE_KEY on a public server, and treat the current payment verification and open-proxy controls as needing review before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (23)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The middleware claims to verify payment proof on-chain, but `_validate_payment_transaction` only checks that the transaction was sent to the USDC contract address. It does not verify that the transaction actually invoked a transfer to the developer wallet, nor that the transferred amount meets the required price, so an attacker can submit any successful transaction to the token contract and receive service without paying the intended recipient or amount.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The auto-pay demo endpoint reads a blockchain private key from an environment variable and uses it to initiate a payment during request handling. Even if intended as a demo, exposing server-side logic that can spend funds with a hot key materially increases the risk of unauthorized spending, key misuse, and operational compromise if the environment or endpoint is abused.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
`get_free_trial_status()` is documented as a status query, but it calls `get_proxy()`, which appears to allocate or consume a trial proxy request. That creates an unexpected side effect where a read-style operation can decrement limited usage quotas, trigger billing-like behavior, or provision external network resources without clear user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly documents a proxy that can fetch arbitrary URLs and forward caller-supplied headers including Authorization tokens, but it does not clearly warn users that the proxy operator can observe request URLs, headers, bodies, and returned data. In this context, that creates real credential, privacy, and data-exfiltration risk because users may send secrets or sensitive API traffic through a third-party service advertised as unrestricted internet access.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code implements a generic server-side request proxy that accepts arbitrary URLs, methods, headers, and bodies, then performs outbound requests and returns the full response. In skill context, this is more dangerous than a mere missing warning: it creates SSRF/open-proxy capability that can be used to reach internal services, probe the network, relay abusive traffic, and exfiltrate request/response data through the server's network path.

Missing User Warnings

High
Confidence
86% confidence
Finding
`auto_pay` accepts a raw user private key and immediately uses it to sign and broadcast a blockchain transaction. In an agent context, this is highly sensitive because users may be induced to provide long-lived wallet keys, and the code performs value-bearing actions without any explicit confirmation, constrained approval flow, or safer wallet abstraction.

Missing User Warnings

High
Confidence
95% confidence
Finding
The endpoint can automatically execute a blockchain payment using a private key found in server environment variables, without an explicit confirmation step tied to the specific request. In a skill that proxies arbitrary user-supplied URLs, this makes the payment action more dangerous because repeated or scripted calls could trigger spending automatically and opaquely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly promotes enabling a system-wide proxy that will route the agent's traffic through a third-party service, but it does not clearly warn users about the privacy, integrity, and traffic-inspection implications of doing so. In an agent context, this is especially risky because proxying can affect all outbound requests, including sensitive API calls, tokens, prompts, and retrieved data, and users may not realize the breadth of exposure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to configure an API key and, elsewhere, a wallet private key, but provides no accompanying warning about secure secret handling. This can lead users to place credentials in shell history, plaintext .env files, logs, screenshots, or shared environments, increasing the risk of credential theft and unauthorized proxy or payment usage.

Missing User Warnings

High
Confidence
98% confidence
Finding
The x402 example shows direct use of a blockchain wallet private key for automated payment signing without any warning about the sensitivity of that key or the financial consequences of compromise. In practice, users may paste a real signing key into code or environment variables, enabling theft of funds or unauthorized on-chain/payment actions if the host, logs, or agent environment is compromised.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
`get_deposit_info()` and `get_balance()` send `user_id` values in URL query strings to a remote gateway without documenting the privacy and logging implications. Query parameters are commonly logged by clients, proxies, and servers, so identifiers may be exposed unintentionally, and the lack of disclosure makes misuse more likely in an agent context that may handle sensitive user identifiers.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The document explicitly describes automatic per-request payment deduction and retry behavior, but it does not pair that flow with prominent user-facing disclosure about recurring charges, wallet authorization scope, spending visibility, or how to stop future deductions. In a payment-integrated API context, that omission can lead users to unknowingly authorize repeated microcharges, increasing the risk of deceptive billing behavior and user financial harm.

External Transmission

Medium
Category
Data Exfiltration
Content
```python
import requests

response = requests.post(
    "https://proxy.easky.cn/api/v1/fetch",
    headers={"X-Client-ID": "my_agent_001"},
    json={
Confidence
93% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
```python
# Use your user_id as API Key after deposit
response = requests.post(
    "https://proxy.easky.cn/api/v1/fetch",
    headers={"X-API-Key": "my_agent_001"},
    json={
Confidence
94% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
```python
import requests

response = requests.post(
    "https://proxy.easky.cn/api/v1/fetch",
    headers={"X-Client-ID": "my_agent_001"},
    json={
Confidence
93% confidence
Finding
requests.post( "https://proxy.easky.cn/api/v1/fetch", headers={"X-Client-ID": "my_agent_001"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
```python
# Use your user_id as API Key after deposit
response = requests.post(
    "https://proxy.easky.cn/api/v1/fetch",
    headers={"X-API-Key": "my_agent_001"},
    json={
Confidence
94% confidence
Finding
requests.post( "https://proxy.easky.cn/api/v1/fetch", headers={"X-API-Key": "my_agent_001"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
import json

# Method 1: Auto-pay (if USER_EVM_PRIVATE_KEY is set)
response = requests.post(
    "https://proxy-gateway-x402.easky.cn/api/v1/fetch",
    json={
        "url": "https://api.github.com/users/github",
Confidence
84% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
# Method 2: Manual payment
# First call returns 402 Payment Required
response = requests.post(
    "https://proxy-gateway-x402.easky.cn/api/v1/fetch",
    json={"url": "https://example.com/api", "method": "GET"}
)
Confidence
84% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
# Pay 0.001 USDC to the specified address
# Then retry with payment proof
response = requests.post(
    "https://proxy-gateway-x402.easky.cn/api/v1/fetch",
    headers={"X-Payment-Response": json.dumps({"tx_hash": "0x..."})},
    json={"url": "https://example.com/api", "method": "GET"}
Confidence
90% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
import json

# Method 1: Auto-pay (if USER_EVM_PRIVATE_KEY is set)
response = requests.post(
    "https://proxy-gateway-x402.easky.cn/api/v1/fetch",
    json={
        "url": "https://api.github.com/users/github",
Confidence
84% confidence
Finding
requests.post( "https://proxy-gateway-x402.easky.cn/api/v1/fetch", json=

External Transmission

Medium
Category
Data Exfiltration
Content
# Method 2: Manual payment
# First call returns 402 Payment Required
response = requests.post(
    "https://proxy-gateway-x402.easky.cn/api/v1/fetch",
    json={"url": "https://example.com/api", "method": "GET"}
)
Confidence
84% confidence
Finding
requests.post( "https://proxy-gateway-x402.easky.cn/api/v1/fetch", json=

External Transmission

Medium
Category
Data Exfiltration
Content
**Request Body:**
```json
{
  "url": "https://api.example.com/data",
  "method": "GET",
  "headers": {"Authorization": "Bearer token"},
  "body": null,
Confidence
91% confidence
Finding
https://api.example.com/

Unsafe Defaults

Medium
Category
Tool Misuse
Content
FREE_TRIAL_LIMIT=10
COST_PER_REQUEST=0.001

# CORS
CORS_ORIGINS=*
```
Confidence
91% confidence
Finding
CORS CORS_ORIGINS=*

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal