ClawHub

Happy Thoughts

Security checks across malware telemetry and agentic risk

Overview

This is a real paid external AI marketplace skill, not malware, but it exposes agent-callable USDC payment and prompt-routing actions without strong consent and privacy guardrails.

Install only if you are comfortable with a third-party pay-per-call AI service. Require explicit approval for every x402/USDC charge, use a dedicated low-balance wallet, preview providers before paid calls, and do not send secrets, private keys, regulated data, or confidential business prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises and demonstrates outbound network access via curl and a remote homepage, but does not declare permissions for the network and shell capabilities it relies on. That mismatch weakens policy enforcement and user visibility, increasing the chance that an agent invokes external requests or shell commands without an explicit trust decision.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The description centers the skill on paid second-opinion requests, but the file also exposes additional behaviors including provider discovery, routing preview, leaderboard/score lookups, and provider registration. This broader functionality increases attack surface and can cause agents to invoke capabilities or disclose data in ways not obvious from the top-level description.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The published API exposes substantially more capability than the stated 'pay-per-thought second opinion' flow, including provider registration, discovery, scoring, disputes, feedback, bundles, and legal endpoints. This expands what an agent may invoke without clear task scoping, increasing the chance of unintended marketplace administration actions, data exposure, or misuse beyond the user’s expected intent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly documents wallet-based purchases and provider staking, but the quick-start and endpoint descriptions do not place a prominent warning before users are encouraged to call `/think` or `/register`. In a skill intended for autonomous agents, that omission is risky because an agent or operator may trigger real USDC charges or staking actions without adequately understanding that funds will move on Base mainnet.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The invocation guidance is broad enough to trigger this skill for many normal decision-making situations, which can cause unnecessary external transmission of prompts and payment-related data to a third-party service. In an agent setting, vague trigger conditions raise the risk of overuse, surprise charges, and disclosure of sensitive context without a strong need-to-send threshold.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill notes that paid endpoints use x402, but it does not clearly warn that prompts, wallet addresses, and possibly decision context are transmitted to an external service. Because the service is explicitly monetized and remote, lack of a prominent disclosure can lead agents or users to reveal sensitive inputs and incur charges without informed consent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill is explicitly marked agent-callable while exposing a marketplace endpoint that can initiate paid external actions and route user prompts to third-party providers, but the trigger scope and consent boundaries are not clearly constrained. This creates a real risk that an agent may invoke the service automatically, transmitting sensitive prompts and payment-linked wallet information to an external network service without sufficiently explicit user approval.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill description states that user prompts and buyer wallet addresses are sent to a remote endpoint for routed processing and payment, but it does not provide a user-facing warning about external transmission, third-party access, or payment implications. In this marketplace context, that omission is materially dangerous because prompts may contain sensitive data and wallet addresses can link activity to on-chain identity and financial actions.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Describing the service as routing prompts 'across any domain' makes invocation boundaries extremely broad, which can cause an agent to select this skill for sensitive, high-risk, or inappropriate tasks. In an agent ecosystem, vague scope increases the chance that confidential data or safety-critical prompts get sent to this external marketplace when a narrower tool should have been used.

Missing User Warnings

High
Confidence
98% confidence
Finding
The core workflow sends user prompts to external providers, yet the spec does not clearly disclose that prompt contents may be shared with third parties. Because prompts can contain sensitive personal, proprietary, or credential material, this omission creates a significant confidentiality risk and can lead agents or users to expose data under the false assumption that it stays with a single service.

External Transmission

Medium
Category
Data Exfiltration
Content
openclaw:
    requires:
      bins:
        - curl
    emoji: "🧠"
    homepage: https://happythoughts.proteeninjector.workers.dev
tags:
Confidence
88% confidence
Finding
curl emoji: "🧠" homepage: https://happythoughts.proteeninjector.workers.dev tags: - payments - ai-agents - x402 - usdc - base - second-opinion - routing - reputation - tradin

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal