Security audit

ZL-ClawPay

Security checks across malware telemetry and agentic risk

Overview

This payment skill needs manual review because it can use stored payment credentials for live payment actions and the supplied evidence shows weak confirmation and credential safeguards.

Install only if you are comfortable with a payment skill that stores credentials and can submit live payment requests. Before using it with real funds, require an explicit per-transaction confirmation step, protect stored API keys in a proper secret store, disable plaintext response fallback in production, and treat unbind or revocation commands as destructive actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The response handler explicitly accepts plaintext JSON whenever `data` begins with `{` or `[`, bypassing the SM2/SM4 decryption and server-signature verification path. In a payment skill that claims GM-encrypted communication, this creates a fail-open downgrade path where a network attacker, proxy, or misconfigured upstream can inject unauthenticated response content and potentially influence payment status, wallet binding, or transaction results.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The local unbind example clears stored payment credentials without a prominent warning that this action is destructive and may disrupt future payment operations. In a payment skill, understated documentation around credential deletion can lead an agent or operator to trigger sensitive state changes without informed confirmation, causing account access loss or operational denial of service.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The unbind example involves irreversible actions: local credential removal and permanent API key invalidation, yet the warning is not sufficiently prominent relative to the severity of the outcome. In a financial payment context, weak signaling around irreversible credential revocation can cause accidental account lockout, service disruption, and loss of ability to perform legitimate transactions.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The code persists an API key in a generic state store without any visible protections such as encryption, scope restriction, expiry, or user consent/notice. In a payment skill, storing long-lived credentials increases the risk of unauthorized payment actions or account access if the local state store is exposed, logged, or reused across sessions.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The payment path executes a live payment request immediately after parameter validation and uses a stored API key/sub-wallet without enforcing an explicit user confirmation gate in code. In a payment skill, this is dangerous because ambiguous prompts, prompt injection through upstream agent flow, or accidental invocation could trigger irreversible financial transactions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal