Mayar

Security checks across malware telemetry and agentic risk

Overview

This Mayar payment skill is openly about managing payment resources, but it gives agents broad account-changing authority through an unpinned CLI command without clear confirmation safeguards.

Install only if you trust the Mayar CLI package and publisher. Prefer a pinned CLI version, use a least-privileged or test Mayar API key when possible, avoid passing keys on the command line, and require explicit confirmation before the agent creates, closes, reopens, or registers anything in a real payment account.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill advertises operational commands that can create, close, reopen, register, or otherwise modify live payment resources, but it does not clearly warn agents or users that these actions are state-changing and may affect production invoices, payments, customers, and webhooks. In an agent context, this increases the chance of unintended destructive or financially significant actions being executed against a real merchant account.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal