ClawHub

claw-pay

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed crypto payment and wallet skill, but it gives an agent broad USDC spending authority across arbitrary x402 services and includes direct-transfer capability, so users should review it carefully before installing.

Install only if you intend to let an agent spend USDC from a dedicated low-balance wallet. Set very small per-request limits, test on Base Sepolia first, use a strong wallet password, keep the mnemonic private, and avoid using it on untrusted sites unless you add your own domain, recipient, and total-spend controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill describes code that reads environment variables, performs network requests, and manages funds, yet it declares no permissions. That mismatch reduces user visibility into sensitive capabilities and can lead an agent or reviewer to approve a skill without understanding it can access secrets and transmit data externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The stated purpose focuses on x402 payments, but the content also enables wallet creation, persistent key storage, balance inspection, and arbitrary direct USDC transfers. This materially expands the trust boundary from 'pay metered services' to 'act as a general-purpose crypto wallet,' increasing the chance of unintended fund movement or approval under false assumptions.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The file exposes a generic ERC-20 transfer primitive that can send tokens to any address, which exceeds the stated skill purpose of x402/USDC payment facilitation. In an agent setting, this broadens the action surface from bounded merchant-payment flows to arbitrary asset transfers, increasing the risk of prompt-induced or policy-bypassing fund movement even though the function includes a confirmation flag.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The transfer function is a general-purpose token sending API and is not justified by the declared x402 facilitator use case. Because any caller that can invoke this code can request transfers to arbitrary recipients, the mismatch between declared scope and implemented capability creates a meaningful security risk in autonomous-agent environments where users may not expect unrestricted token exfiltration features.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The guidance says to use the skill whenever a service returns HTTP 402 or claims x402 payment is required, which is overly broad for an autonomous spending tool. In practice, a malicious or compromised endpoint could trigger repeated small charges or social-engineer the agent into paying untrusted services within the configured cap.

External Transmission

Medium
Category
Data Exfiltration
Content
const wallet = await loadWallet(process.env.CLAW_PAY_WALLET_PASSWORD);

// Works exactly like fetch() but handles 402 automatically
const response = await payAndFetch(
  'https://api.example.com/generate',
  { method: 'POST', body: JSON.stringify({ prompt: 'Hello' }) },
  {
Confidence
83% confidence
Finding
Fetch( 'https://api.example.com/generate', { method: 'POST'

Session Persistence

Medium
Category
Rogue Agent
Content
## Setup (one-time, first use)

### 1. Create a wallet

```javascript
const { createWallet } = require('./src/wallet');
Confidence
90% confidence
Finding
Create a wallet ```javascript const { createWallet } = require('./src/wallet'); const password = process.env.CLAW_PAY_WALLET_PASSWORD; const { address, mnemonic } = await createWallet(password); con

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal