ClawHub

Payment Skill Demo

Security checks across malware telemetry and agentic risk

Overview

This is a coherent payment skill, but it can perform real payment and refund actions with live credentials without a clearly enforced confirmation boundary.

Install only if you trust the publisher and the configured payment endpoint. Use test or least-privilege credentials first, avoid running diagnostics where logs or terminal output may be shared, and do not allow create_payment or refund_payment against production accounts unless you have an external approval and audit process.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and documents capabilities that access environment variables, invoke shell scripts, read files, and perform networked payment actions, yet no explicit permissions model is declared. In a payment/finance context, this gap is more dangerous because the runtime handles secrets and can trigger financial operations, so users and hosts cannot make an informed trust decision about what the skill is allowed to do.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The diagnostic script reads payment-related secrets from environment variables and prints masked portions to stdout. Even partial secret disclosure increases exposure in logs, CI output, screenshots, or shared terminals, and this behavior is not strictly necessary for a local environment diagnostic tool.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation presents refund initiation as a normal one-step tool action without any warning, approval requirement, or user confirmation flow. In a payment skill, refunds are financially sensitive and may be irreversible or abused by an agent through prompt mistakes, making undocumented confirmation safeguards a meaningful security risk.

Vague Triggers

Low
Confidence
84% confidence
Finding
The manifest exposes payment-creating and refund-capable tools but does not define clear trigger constraints, eligibility rules, or contextual safeguards for when those actions may be invoked. In a financial skill, this increases the risk of unintended or overly broad tool use by an agent, which can lead to unauthorized payment operations or premature transaction handling.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises networked payment and refund functionality without a user-facing warning that these actions can transmit sensitive financial data and cause real-world financial effects. In a payment context, omission of such notice can lead users or calling agents to invoke tools without understanding that money movement, external API calls, and data disclosure may occur.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal