sohopay

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says, but it can use a raw wallet private key to send real on-chain financial transactions without built-in confirmation or spend limits.

Install only if you intentionally want an agent to operate a SOHO Pay wallet. Use a dedicated low-balance wallet, start on testnet, verify contract and merchant addresses, and add your own confirmation, amount limits, and recipient allowlists before enabling mainnet payments or repayments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (6)

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill claims to initiate payments, but it also performs an additional state-changing on-chain action by calling registerAgent(payerAddress) when the signer is not registered or active. This violates the principle of least surprise: a user expecting only a payment may unknowingly authorize account enrollment or role activation, which can have compliance, permission, or financial consequences depending on the BorrowerManager semantics.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The manifest claims the skill uses EIP-712 signatures, which implies off-chain signing with bounded user consent, but the implementation instead loads a raw PRIVATE_KEY and directly submits approve() and repay() transactions on-chain. This is dangerous because users or calling agents may trust the safer advertised model while actually granting the skill authority to spend tokens and broadcast transactions from a hot key.

Intent-Code Divergence

Medium

Confidence: 87% confidence
Finding: The usage text presents the script as a straightforward repayment tool, but omits the critical fact that it will use a PRIVATE_KEY to issue approve() and repay() transactions. In the context of an agent skill for payments, this mismatch increases the risk of unsafe operator assumptions, causing users to expose signing keys or authorize token spending under a misleading description.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: This read-only status script unnecessarily requires the user's PRIVATE_KEY solely to derive the wallet address being inspected. That expands secret exposure to any environment, CI job, shell history, or debugging workflow that runs the script, even though no signing or state-changing action is performed. In the context of a payment/credit-layer skill, requiring a live signing key for status inspection is especially risky because compromise of that key could enable unauthorized financial actions elsewhere in the skill suite.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The natural-language triggers are broad enough to match ordinary conversational phrases around paying or checking status, which is especially dangerous because this skill can sign transactions with a configured private key. In an autonomous or multi-skill environment, ambiguous activation boundaries can lead to unintended payment, registration, or other financial actions from loosely phrased user requests.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: Repayment examples like 'repay my bot debt' are underspecified and may overlap with generic requests, yet they can trigger token approvals and on-chain repayment transactions using the bot wallet. Because repayment changes financial state and may consume wallet funds, accidental invocation in response to vague language is a real operational security risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal