ClawHub

x402 Payment Protocol

Security checks across malware telemetry and agentic risk

Overview

This payment skill does what it says, but it can automatically authorize real USDC payments without built-in confirmation or spend limits.

Install only if you intend to let an agent or script make x402 crypto payments. Use a dedicated low-balance wallet, restrict use to trusted URLs, review the amount, recipient, network, and token before signing, and avoid exposing a main wallet private key through environment variables or wallet files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example performs an automatic paid request using a live wallet, but it does not clearly warn that calling `x402Fetch` can spend real USDC and that such payments may be irreversible. In an agent skill context, copy-pasted examples are often executed as-is, so omitting an explicit spending confirmation and real-funds warning increases the risk of unintended financial loss.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The `conway-credits.mjs` and `conway-domain.mjs` examples directly initiate paid operations, yet the documentation does not clearly state that running these commands will spend wallet funds and may create irreversible purchases. Because these are simple one-line commands, users or agents may execute them without recognizing the financial consequences.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function automatically signs an EIP-3009 authorization derived entirely from a server-provided 402 response and immediately retransmits it in the X-Payment header without any user confirmation, policy checks, origin allowlisting, or validation that the payee/asset/domain are trusted. In this context, that means any endpoint returning a crafted 402 challenge can induce the client to create a transferable payment authorization, which is especially dangerous because the signed payload may be usable beyond the immediate HTTP exchange depending on downstream handling and token contract semantics.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal