v0.1.0

Hypha Payment

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:50 AM.

Analysis

Hypha Payment is purpose-aligned for P2P USDT settlement, but it handles wallet-controlling seeds/private keys and payment flows without clear approval limits.

GuidanceInstall only if you intentionally want an agent to participate in Hypha P2P payments. Use a fresh testnet wallet first, pin and review hypha-sdk, never expose or print wallet seeds/private keys, and require explicit approval for every transfer, escrow, network, and recipient.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

result = wallet.send_payment(to="0xRecipientAddress", amount_usdt=5.00) ... escrow_id = await agent.hire(... amount=10.0 ...)

The core workflow demonstrates direct USDT transfers and escrow funding, but the artifact does not show an approval gate, spending cap, or required user confirmation before these high-impact actions.

User impactIf an agent uses this skill with wallet authority, a mistaken or compromised workflow could transfer or lock funds.

RecommendationRequire explicit user confirmation for every recipient, amount, network, and fee; use spending limits and testnet/dry-run defaults where possible.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusNote

SKILL.md

pip install hypha-sdk

The wallet and payment behavior is delegated to an external PyPI package that is not pinned in the artifact.

User impactChanges or compromise in the external SDK could affect payment and wallet behavior.

RecommendationPin and verify the SDK version, review the package source, and prefer locked hashes before using it with real funds.

Human-Agent Trust Exploitation

SeverityMediumConfidenceMediumStatusNote

references/network.md

### Mainnet (Base)
- TBD — testnet only for now

The reference indicates mainnet support is not yet specified, which is important because the skill otherwise presents USDT settlement workflows.

User impactUsers may overestimate production readiness or attempt financial workflows on the wrong network.

RecommendationTreat the skill as testnet-only unless mainnet contracts and network settings are explicitly verified.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

scripts/setup_agent.py

"Generates a seed, derives identity + wallet" ... seed_phrase = sys.argv[1] ... print(f"  Seed Phrase:  {seed_phrase}")

The setup helper accepts a seed phrase used for identity and wallet derivation and echoes it, which can expose wallet-controlling material through terminal output, logs, or shell history.

User impactAnyone who obtains the seed phrase may be able to control the associated agent identity and wallet funds.

RecommendationUse a cryptographically strong secret, avoid passing it on the command line, never print it, and declare wallet/private-key handling clearly as a credential requirement.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceMediumStatusNote

SKILL.md

peers = await agent.discover_peers() ... Returns: [{"agent_id": "...", "name": "...", "wallet": "0x...", "services": [...]}]

The skill relies on discovered peer wallet and service data for agent hiring and payment flows.

User impactUnverified peer data could lead a user or agent to pay the wrong wallet or trust an unsuitable peer.

RecommendationVerify peer identity, wallet address, task terms, and service claims before hiring or paying any discovered agent.