PayTrigo (OpenClawBot, Base/USDC)

Security checks across malware telemetry and agentic risk

Overview

This payment skill is broadly coherent, but it ships live payment API credentials and can let a bot spend wallet funds with weak built-in controls.

Review carefully before installing. Do not rely on the embedded PayTrigo keys for production, prefer a version that requires your own scoped credential, and do not give an agent a private key or passphrase file unless you have external spend limits, approval checks, and recipient verification in place.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (16)

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill claims to provide a minimal payment create/verify flow, but it also instructs the agent to create wallets, import private keys, store encrypted wallet material locally, and execute direct bot-paid transactions. That materially expands the trust boundary from payment API usage into key custody and fund movement, which creates unnecessary exposure to credential theft, accidental signing, and unauthorized transfers.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: The documented local wallet custody flow is broader than the stated purpose of creating or verifying PayTrigo payments and introduces handling of highly sensitive private-key material. This increases the attack surface substantially because any agent or user following the skill may persist wallet secrets on disk and normalize key import in a context that does not require it for simple invoice creation or status polling.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: Advertising an embedded platform API key for immediate use is a serious credential exposure issue because anyone with access to the skill or helper script may reuse the shared key to create invoices or otherwise interact with the payment platform. Embedded long-lived secrets are especially dangerous in distributed skill content because they are difficult to rotate, easy to exfiltrate, and may enable abuse across all downstream users of the skill.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script hardcodes a live PayTrigo secret key directly in source, which exposes a production credential to anyone who can read the file, logs, repository history, or packaged artifact. In a payment skill, this is especially dangerous because the credential can be reused to create or manipulate invoices against the associated PayTrigo account and may enable unauthorized payment operations or account abuse.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script contains a hardcoded live PayTrigo secret key, which grants whoever has the file the ability to create invoices and exercise merchant payment capabilities against the real PayTrigo account. In the context of an agent skill intended for automated payment creation, embedding a production credential is especially dangerous because it enables unauthorized payment operations, abuse of the merchant account, and credential reuse outside the stated OpenClawBot workflow.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script contains a hard-coded live PayTrigo secret key and automatically uses it for all authenticated requests. Any user who obtains or runs this skill can create invoices and query or submit payment-related API actions against the associated PayTrigo account, which exceeds the narrow claimed purpose and exposes real account capabilities to unauthorized parties.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README explicitly shows passing a raw private key via a `--pk` command-line argument, which can expose the secret through shell history, process listings, CI logs, or terminal recording. Although the document later recommends encrypted wallet files, the quickstart presents the unsafe pattern prominently and without an immediate warning, making accidental secret disclosure more likely.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill discusses embedded platform keys, checkout tokens, and related payment credentials without clearly warning that these are sensitive secrets that can authorize payment actions or expose transaction context. In a bot-oriented workflow, omission of such warnings makes accidental leakage into logs, prompts, repositories, or shared transcripts much more likely.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The local wallet storage workflow instructs users to write wallet material and passphrase-linked files to disk without describing secure storage, file permission hardening, backup risks, or host compromise implications. For an agent skill, this is dangerous because users may follow the recipe verbatim and persist recoverable wallet secrets on endpoints that are not adequately protected.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The bot-pay example accepts a raw private key on the command line, which is a severe secret-handling anti-pattern because command-line arguments are commonly exposed through shell history, process listings, logs, and telemetry. Combined with direct payment execution, this can result in immediate irreversible loss of funds if the key is captured or the command is misused.

Missing User Warnings

High

Confidence: 99% confidence
Finding: Using a hardcoded live API credential for outbound requests without disclosure or secure handling is a real secret-management vulnerability. Because this skill directly interacts with a payment API, the embedded bearer token creates immediate risk of unauthorized API use, fraud, service abuse, and exposure of payment-related account data if the script is shared or inspected.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: Accepting private keys on the CLI and passphrases from files increases the chance of credential leakage through shell history, process listings, insecure local storage, or accidental logging. In this context the risk is meaningful because the script signs real blockchain transactions, so compromise of these inputs can directly lead to theft of wallet funds or unauthorized payments.

Missing User Warnings

High

Confidence: 98% confidence
Finding: A sensitive production credential is embedded directly in the script with no runtime disclosure, gating, or warning to the user. Because this is an agent skill for payments, users or downstream systems may execute it without realizing they are operating with a real merchant secret, increasing the chance of silent misuse, account compromise, and accidental real-money transactions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Allowing passphrases and private keys to be passed directly on the command line can expose them through shell history, process listings, audit logs, CI job output, and orchestration tooling. In a payment-related skill that handles wallet material, this substantially increases the chance of credential disclosure and wallet compromise.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The --force path can overwrite existing encrypted wallet and address files without any confirmation, making accidental destruction or replacement of wallet state easy. In this skill context, overwriting wallet metadata or encrypted key material can lead to loss of access, misdirected payments, or operational outages.

Missing User Warnings

High

Confidence: 99% confidence
Finding: A hard-coded payment API credential is silently used to authorize requests without user disclosure or consent. In the context of an agent skill that creates or verifies payments, this is especially dangerous because automated agents may invoke the script and unknowingly operate on a real merchant account, enabling account abuse, unauthorized invoice creation, data exposure, or fraudulent payment workflow manipulation.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal