ClawHub

Payment Skill

Security checks across malware telemetry and agentic risk

Overview

This is a real payment integration, but it can use payment credentials to create payments and initiate refunds with insufficient enforced safeguards and some endpoint/permission ambiguity.

Install only if you trust the publisher and have verified the intended payment API domain. Use least-privilege, low-limit credentials; require manual approval outside the skill before any payment creation or refund; avoid running diagnostics with live secrets in captured logs; and treat local logs as sensitive payment metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares `has_install_scripts: true` and documents execution of shell scripts, use of environment variables containing payment secrets, file/script access, and outbound network calls, yet it does not declare corresponding permissions. This creates a trust-boundary failure: a host may approve the skill without understanding it can execute shell commands, read environment secrets, and contact external payment infrastructure, which is especially risky in a payment context.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The diagnostic script reads payment credential environment variables and prints portions of sensitive values to output. Even though secrets are partially masked, exposing prefixes/suffixes in logs can aid secret identification, correlation, or leakage through CI logs and support channels; this capability is also broader than necessary for a diagnostic helper in a payment skill, which increases concern in this context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The refund function directly performs a safety-critical financial action once called, with no built-in confirmation, re-authentication, or secondary approval step. In an agent setting, this increases the risk of accidental, prompt-injected, or unauthorized refunds because a single tool invocation can move funds immediately.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal