ClawHub

Hypha Payment

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned for Hypha agent discovery and crypto payments, but it deserves review because its examples and helper script handle wallet secrets and real payment flows too loosely.

Install only after reviewing the SDK and using a dedicated test wallet with minimal funds. Do not paste production seed phrases or private keys into examples, logs, or setup output; prefer testnet first, verify recipient addresses, amounts, fees, RPC/bootstrap endpoints, and require explicit confirmation before any payment or escrow release.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill provides copyable instructions for sending USDT and completing escrow actions on a real blockchain network, but it does not prominently warn that these operations can transfer real funds, incur fees, and may be irreversible once broadcast. In an agent skill context, this is especially dangerous because automation may cause users or downstream agents to execute payment flows without adequate confirmation, testnet/mainnet distinction, or human review.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script prints the provided seed phrase directly to stdout, exposing secret material that can be captured by terminal history, logs, CI output, shell session recording, or other users with console access. In this skill's payment and wallet context, disclosure of the seed can enable full takeover of the derived identity and wallet, including theft of USDT and impersonation on the Hypha network.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal