ClawHub

Spraay Openclaw

Security checks across malware telemetry and agentic risk

Overview

This skill is a real payment-gateway integration, but it gives an agent broad spending, file-upload, messaging, and robot-task abilities without enough built-in guardrails.

Install only if you intentionally want an agent to use Spraay for real payment and paid-service workflows. Before any payment, PSBT broadcast, escrow release, payroll, bridge, email, IPFS upload, AI prompt submission, or robot commission, require human review of recipients, amounts, fees, budgets, destination addresses, uploaded content, and third-party data sharing; use spending limits and avoid sensitive files or secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares executable shell capability via curl but does not declare corresponding permissions or user-safety constraints. In an agent environment, hidden or undeclared execution capability increases the chance of unexpected network actions, especially because this skill can trigger payment, escrow, and robot-task endpoints.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented primarily as payment infrastructure, but the content also exposes broader capabilities including AI inference, RPC, web search, email, IPFS, oracle access, and escrow. This mismatch can cause an orchestrating agent or user to invoke the skill in situations they would not expect, leading to data exfiltration, paid API usage, or side effects beyond simple payments.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script exposes multiple generic capabilities unrelated to the advertised payment-focused purpose, including AI chat, web search, email, arbitrary RPC, and IPFS uploads. In an agent environment, this unnecessary expansion of scope increases the attack surface and can let prompts or workflows trigger unintended outbound actions or data transfers through a trusted payment skill.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Generic email sending is unrelated to the declared crypto payment/protocol functionality and creates a direct outbound communication channel. In an autonomous agent context this can be abused for phishing, spam, exfiltration of generated or user-supplied content, or unauthorized notifications under the guise of a payment tool.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The AI inference endpoint is a broad, non-payment capability that materially expands what this skill can do beyond its stated scope. That makes it easier to smuggle prompts or sensitive content to a remote service through a trusted payment integration, undermining least privilege and user expectations.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Web search is not necessary for payment settlement and creates a general-purpose outbound data and browsing channel. In an agent system, that broadens capability scope and may allow prompt-driven retrieval or transmission of sensitive queries via an overprivileged skill.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Arbitrary blockchain RPC passthrough is broader than a payment-oriented interface and effectively grants a general remote procedure channel to blockchain nodes or a gateway proxy. This can be used for unintended chain interactions, metadata access, or abuse beyond the constrained payment workflows users would expect from this skill.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
IPFS pinning allows arbitrary local file content to be base64-encoded and sent to a remote service, which is outside the stated payment purpose. In an agent environment this is a strong exfiltration primitive because any readable file path passed to the script can be uploaded without contextual safeguards.

Context-Inappropriate Capability

Low
Confidence
80% confidence
Finding
Catalog enumeration exposes a broader discovery surface than the manifest describes by listing all bazaar endpoints. While lower impact than direct action primitives, it can aid capability discovery and chaining by revealing additional remote functionality not obvious from the payment-centered description.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The invocation guidance is broad enough to match many generic crypto or payment-related requests, which raises the risk of over-triggering this skill. Because the skill can move funds and access paid endpoints, broad routing logic increases the chance that sensitive or costly actions are selected when a narrower, safer tool would suffice.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill documents actions that can transfer cryptocurrency, incur micropayment charges, create escrow, and commission physical robot tasks, but it does not include strong user-facing warnings, confirmation requirements, or safety preconditions. In practice, this can enable accidental financial loss, unexpected billing, or real-world operational consequences if an agent follows the examples too readily.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The reference provides actionable instructions for constructing and submitting batch crypto payments, including CSV import and API request formats, but does not warn that blockchain transfers are irreversible or that malformed recipient data can cause permanent loss or misdirection of funds. In a payment skill explicitly intended for payroll, airdrops, and mass transfers, this omission increases the chance that users or downstream agents will submit incorrect addresses or amounts without validation or confirmation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation describes broadcasting a signed Bitcoin transaction but does not explicitly warn that broadcast is irreversible once confirmed and may be hard or impossible to recover after propagation. In a payment skill intended for agent use, omission of this warning can cause unsafe automation or user approval flows that submit final on-chain transfers without adequate confirmation or review.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The workflow and endpoint descriptions indicate that addresses, UTXO data, balances, and signed transaction metadata are sent to a gateway and third-party infrastructure such as Mempool.space, but the documentation provides no privacy disclosure. This can expose wallet clustering, balances, transaction intent, and operational behavior, which is especially relevant for AI agents handling payroll, batch payouts, or other sensitive financial activity.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation explicitly instructs transmission of sensitive real-world data including precise robot coordinates, street addresses, callback URLs, and wallet addresses, but provides no privacy, minimization, retention, or abuse-prevention guidance. In the context of a protocol that coordinates physical robots and on-chain payments, this can enable location tracking, targeting of operators or destinations, webhook abuse, and correlation of physical identities with blockchain activity.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This reference documents many payment-bearing and high-impact actions, including escrow release, bridge execution, payroll execution, identity/KYC, wallet creation, robot task commissioning, and Bitcoin batch broadcast, but provides no user-facing cautions about irreversible blockchain actions, costs, external data sharing, or authorization expectations. In an agent skill context, that omission is security-relevant because downstream agents may invoke these routes automatically, increasing the chance of unintended spending, sensitive data disclosure to third parties, or destructive actions without meaningful user confirmation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The AI chat call transmits user-provided prompt content to a remote gateway with no user-facing warning, confirmation, or redaction controls. Because prompts may contain secrets, proprietary data, or sensitive instructions, silent transmission increases privacy and compliance risk.

Missing User Warnings

High
Confidence
99% confidence
Finding
The IPFS pin feature reads a local file and uploads its contents to a remote gateway without any warning or confirmation. This is especially dangerous because it can directly exfiltrate sensitive local data from the agent runtime under the appearance of a normal skill action.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The email action sends user-supplied recipient, subject, and body data to a remote service with no disclosure that content is leaving the environment. This can result in accidental sharing of sensitive information and unauthorized outbound communications from an agent.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal