Clawpay

Security checks across malware telemetry and agentic risk

Overview

Clawpay is a coherent payment-delivery skill, but users should verify wallet/payment details and avoid sending sensitive deliverables unintentionally.

Before installing or using this skill, verify the recipient wallet address, amount, currency, request ID, and pay URL. Treat crypto payments as hard to reverse, and only send delivery payloads through Clawpay when you intend that content to leave the local agent context.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly instructs the agent to POST a payload to an external service, but it provides no warning, approval gate, or constraint on what data may be transmitted. In an agent setting, this creates a real risk of unintended exfiltration of task results or sensitive content to a third-party endpoint once a request is marked paid.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal