Back to skill

Security audit

Receipts Guard

Security checks across malware telemetry and agentic risk

Overview

Receipts Guard has sensitive wallet, key, storage, and HTTP-server features, but they are disclosed and aligned with its agent-commerce purpose.

Install only if you need local receipt capture, agent identity, payments, or arbitration workflows. Use a dedicated low-balance wallet for RECEIPTS_WALLET_PRIVATE_KEY, protect and back up ~/.openclaw/receipts, configure RECEIPTS_API_KEY and strict CORS before server deployment, avoid wildcard CORS in production, and treat the included v0.6.0 security audit as historical rather than full assurance for v0.7.1.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises capabilities that use environment variables, networking, and shell execution, but does not declare corresponding permissions. This creates a transparency and review gap: operators may install or run the skill without understanding that it can access secrets, make outbound requests, and expose or invoke system-level behavior.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The documented purpose is narrower than the behavior described in the skill, which also includes local evidence capture, document/risk analysis, exports, witness anchoring, custom rules, and an HTTP server. This mismatch can mislead users about the true attack surface and data handling, increasing the chance that sensitive legal, identity, or agreement data is exposed or processed unexpectedly.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The DID request-signing verification path calls an undefined function, `base58Decode`, instead of the implemented `base58btcDecode`, and also switches verification logic to a different path using tweetnacl/public key bytes. This can cause authentication failures or runtime exceptions in the security boundary, which may lead to denial of service for authenticated requests and creates uncertainty around whether request authentication is actually functioning as intended.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The cloud deployment section encourages running a persistent public HTTP service but does not prominently warn that identity and agreement-related endpoints become remotely accessible. Even with some authentication described elsewhere, deployers may expose metadata, service fingerprinting information, or misconfigure protected endpoints, especially in internet-facing environments.

Unsafe Defaults

Medium
Category
Tool Misuse
Content
# Allow specific origins
export RECEIPTS_ALLOWED_ORIGINS=https://app.example.com,https://dashboard.example.com

# Allow all origins (not recommended for production)
export RECEIPTS_ALLOWED_ORIGINS=*
```
Confidence
78% confidence
Finding
Allow all origins

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.