ClawHub

x402 pay

Security checks across malware telemetry and agentic risk

Overview

This skill is transparently built for real crypto payments, but it gives agents broad wallet/key access and includes payment/funding flows that need stronger built-in limits before ordinary users should install it.

Install only if you intentionally want an agent to make x402 USDC payments. Use a dedicated low-balance wallet, prefer managed wallets or external wallet policies over raw private keys, avoid exposing generic PRIVATE_KEY-style secrets, require human approval for every command and payment, verify the exact URL, price, network, refund destination, and transaction result, and set external spend limits or allowlists wherever possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill directs the agent to inspect broad local context including system prompts, agent config, environment variables, project .env files, home-directory keystores, and to run a local CLI to discover wallets. That exceeds what is strictly necessary for handling an x402 payment flow and creates a real risk of unnecessary secret discovery, cross-project credential exposure, and use of unrelated wallets or funds without clear user-scoped consent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list is broad enough to activate on generic phrases like "fund my wallet," "top up," or "pay for API," which can route normal user requests into a skill that installs dependencies, accesses the network, and may initiate wallet/payment workflows. In this skill context, that misrouting is more dangerous because the capability is tied to cryptocurrency funding and paid API transactions, so an overly eager match increases the chance of unnecessary payment-related actions being proposed or taken.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document instructs users to persist a raw private key in a plaintext `.env` file and emphasizes persistence across sessions, but it does not give a strong warning about the security risks of local plaintext secret storage. Private keys grant full control of wallet funds, so storing them unencrypted increases the chance of compromise through accidental commits, local malware, backups, shell history, or multi-user system exposure.

Missing User Warnings

High
Confidence
97% confidence
Finding
The script automatically converts a 402 response into a signed payment and retries the request using the provided private key, with no interactive confirmation, spending cap, allowlist, or trust check on the destination. In this skill context, that is especially dangerous because the tool is explicitly meant to pay arbitrary x402-protected endpoints, so a user or agent could be induced to send funds to an attacker-controlled service simply by supplying a URL.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal