ClawHub
Back to skill

Security audit

bitrefill

Security checks across malware telemetry and agentic risk

Overview

This Bitrefill skill is coherent, but it gives agents real purchase authority and includes some risky credential and auto-payment guidance that users should review carefully.

Install only if you want an agent to help with Bitrefill purchases. Prefer OAuth or Authorization-header setup over API keys in URLs, use a dedicated low-balance account, keep buy tools out of auto-approval, protect credential files and environment variables, and require explicit confirmation before any purchase or recurring top-up.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger text is broad enough to match generic shopping and crypto-payment intents, which can cause this skill to activate in contexts unrelated to Bitrefill. Because the skill enables real-money purchases and capability-based routing to external services, over-triggering increases the chance of unintended invocation and user confusion, especially in autonomous agent environments.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation includes a ready-to-run purchase flow that creates invoices and enables immediate payment using account balance (`auto_pay: true`) without any explicit warning that this can spend real funds and trigger irreversible external transactions. In an agent-skill context, this materially increases the risk of unintended purchases because an agent or operator may treat the example as safe boilerplate rather than a money-moving action.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The buy command examples are operational and directly create real Bitrefill invoices/orders, yet the documentation does not clearly warn that running them may initiate payment against a configured balance, x402/USDC, or other payment method. In an agent-oriented CLI skill, example commands are especially likely to be executed verbatim, so missing transaction-safety warnings materially increases the risk of unintended purchases and financial loss.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation explicitly offers a header-less authentication mode that places the API key in the URL path, but it does not warn that URLs are commonly exposed via logs, proxy telemetry, browser history, config files, screenshots, and error messages. In a skill whose purpose is to configure third-party MCP clients across many hosts, this materially increases the chance of credential leakage and unauthorized purchases or order-data access.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The OpenClaw example embeds the API key directly into a shell command URL, which risks exposure through shell history, process inspection, copied terminal transcripts, and persisted configuration. Because this is a copy-paste setup instruction, users are likely to execute it verbatim, making accidental credential disclosure more likely.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The troubleshooting guidance explicitly tells users where API keys and OAuth state are stored and how to switch to headless auth, but it does not warn that these files and environment variables are secrets that must not be logged, shared, or committed. In an agent/tooling context, such paths are likely to be surfaced to logs, copied into support chats, or exposed to other tools, increasing the chance of credential theft and account misuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document recommends accessing from the matching country 'or VPN' to get around IP-based geolocation enforcement, with only a weak note that this may violate terms of service. That guidance normalizes bypassing an access control/business rule and could facilitate policy evasion, fraud screening bypass, or prohibited purchases.

External Transmission

Medium
Category
Data Exfiltration
Content
"payment_method": "balance",
    "auto_pay": true
  }' \
  https://api.bitrefill.com/v2/invoices

# 6. Order / redemption
curl -H "$H" https://api.bitrefill.com/v2/orders/{order_id}
Confidence
92% confidence
Finding
https://api.bitrefill.com/

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.