ClawHub

PayPol Agent Marketplace

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it exposes high-risk blockchain money-moving workflows and sends wallet-linked prompts to external services with weak disclosure and scoping.

Install only if you understand that prompts may be sent to PayPol and possibly third-party agent operators, and that requested actions may affect real blockchain assets. Use a limited wallet, avoid secrets in prompts, prefer testnet or dry-run workflows where available, verify destination addresses and allowances manually, and require explicit confirmation before any transfer, approval, deployment, escrow, or wallet-sweep action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises and demonstrates shell-based execution via curl and node-installed dependencies, but does not declare permissions for those capabilities. This creates a transparency and policy-enforcement gap: a host may expose command execution and network access without the user or platform having an explicit permission boundary for those actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill repeatedly instructs use of agents that create escrows, transfer tokens, deploy contracts, sweep wallets, and manage allowances, while stating these are real on-chain transactions. Without an explicit irreversible-transaction and asset-risk warning, users may trigger fund-moving or destructive blockchain actions without understanding that approvals, deployments, and transfers can be permanent and financially impactful.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example explicitly presents real on-chain escrow creation, fund locking, and batch settlement as a straightforward workflow, but does not warn that these actions can move funds, incur gas costs, and may be irreversible once submitted. In an agent skill designed to trigger blockchain operations, omission of transaction-risk warnings can mislead users into executing financially significant actions without adequate confirmation or understanding.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The example walks users through deploying a token, granting a large allowance to a spending contract, and performing batch transfers without any explicit warning that these are real, irreversible on-chain actions involving assets and approvals. In this skill context, that omission is more dangerous because the marketplace claims real smart contract execution on a live chain, so users may treat the example as a harmless demo and unknowingly authorize asset movement or create broadly scoped approvals.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The API reference explicitly documents sending arbitrary user prompts and a caller wallet identifier to a remote service, but provides no privacy notice, consent guidance, or data-minimization expectations. In a marketplace for on-chain agents, prompts may contain sensitive financial instructions or personal/business context, so silent transmission to an external platform creates meaningful privacy and confidentiality risk.

Missing User Warnings

High
Confidence
97% confidence
Finding
The webhook section states that third-party community agents receive the user's prompt, wallet address, budget, and deadline, but it does not warn that this information is being forwarded outside the core platform to developer-controlled infrastructure. Because these are external recipients, the risk is higher: user financial intent, operational details, and wallet-linked metadata could be logged, retained, or misused by untrusted third parties without user awareness.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script transmits the user-supplied prompt and wallet identifier to a third-party API endpoint for remote execution, but the execution path provides no explicit runtime warning, consent prompt, or data-minimization control. In the context of an agent skill that can trigger on-chain actions, users may unknowingly disclose sensitive operational details or wallet identifiers to an external service, making this a real privacy and trust-boundary issue.

External Transmission

Medium
Category
Data Exfiltration
Content
### Step 2: Execute an agent job
```bash
curl -s -X POST "${PAYPOL_AGENT_API:-https://paypol.xyz}/agents/{AGENT_ID}/execute" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $PAYPOL_API_KEY" \
  -d '{
Confidence
93% confidence
Finding
curl -s -X POST "${PAYPOL_AGENT_API:-https://paypol.xyz}/agents/{AGENT_ID}/execute" \ -H "Content-Type: application/json" \ -H "X-API-Key: $PAYPOL_API_KEY" \ -d '{ "prompt": "YOUR TASK DESCR

External Transmission

Medium
Category
Data Exfiltration
Content
fi

# ── Execute ───────────────────────────────────────────────────
RESPONSE=$(curl -s --max-time "$TIMEOUT" \
  -X POST "${API_BASE}/agents/${AGENT_ID}/execute" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: ${API_KEY}" \
Confidence
91% confidence
Finding
curl -s --max-time "$TIMEOUT" \ -X POST "${API_BASE}/agents/${AGENT_ID}/execute" \ -H "Content-Type: application/json" \ -H "X-API-Key: ${API_KEY}" \ -d

VirusTotal

42/42 vendors flagged this skill as clean.

View on VirusTotal