xClaw02

Security checks across malware telemetry and agentic risk

Overview

This skill is a clearly disclosed x402/USDC payment helper, but it should be used carefully because it can handle wallet keys and make real payments.

Install only if you intend to use agent-assisted x402/USDC payments. Use a dedicated low-balance wallet, keep private keys and mnemonics out of chat and logs, verify the package source before running npx or pip, and require explicit confirmation before any payment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Rogue AgentSelf-Modification, Session Persistence
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Session Persistence

Medium

Category: Rogue Agent
Content: ``` This will: 1. Create a new wallet (or use existing) 2. Save config to `~/.openclaw/skills/xclaw02/` 3. Display your wallet address to fund with USDC on Base
Confidence: 80% confidence
Finding: Create a new wallet (or use existing) 2. Save config to `~/.openclaw

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal