ClawHub

Payclaw

Security checks across malware telemetry and agentic risk

Overview

PayClaw has a plausible payment purpose, but its escrow claims and shell-based command execution create real review concerns before installation.

Install only in a trusted test environment with a low-risk Circle testnet API key. Do not treat the escrow feature as real escrow, manually verify every recipient and amount before payment or release, and avoid passing untrusted wallet names, addresses, amounts, memos, or API-key strings until shell command construction and input validation are fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill advertises and documents use of an API key and wallet functionality, which implies access to sensitive environment/configuration data, yet no permissions are declared. This creates a transparency and trust problem: users and platforms cannot accurately assess what sensitive capabilities the skill needs, increasing the risk of over-privileged execution or secret exposure through undocumented env access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documentation materially overstates security-sensitive behavior: it presents escrow as if funds are trustlessly held, and implies receiving payments, while the analysis indicates escrow is only local bookkeeping and receiving is just payment-request generation. In a payment skill, this mismatch is dangerous because users or agents may rely on false assumptions and transfer funds under the belief that protections or payment-detection mechanisms exist when they do not.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The escrow feature is represented only by local JSON state and does not lock, reserve, or otherwise escrow funds on-chain or with a trusted custodian. In a payment skill, this is dangerous because users and agents may rely on the command semantics and release/refund flow as if funds are protected, leading to fraud, failed settlements, or false assurance in automated agent-to-agent transactions.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The CLI text and command names strongly imply that escrow funds are created, released, and refunded, but the implementation only updates local status until a later direct send occurs. This mismatch is security-relevant because it can deceive users or autonomous agents into believing funds are protected or refundable when they are not, creating financial loss and trust failures.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The helper wraps `execSync` with a shell command string and interpolates user-influenced data into `circle-wallet ${cmd}`. Multiple call sites pass unsanitized CLI arguments such as API key, address, amount, and wallet name, so shell metacharacters could trigger arbitrary command execution on the host, which is far beyond the intended payment functionality.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The escrow creation flow only writes a JSON record and never actually locks, reserves, or transfers USDC, yet the interface presents it as a real escrow. This can mislead users or agents into believing funds are secured when no on-chain or custodial protection exists, enabling fraud, failed settlements, and business-logic abuse.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The refund command changes local escrow status to `refunded` without sending any funds back to the sender. In a payments tool, this creates a dangerous mismatch between displayed state and actual asset movement, which can cause users or agents to rely on a refund that never occurred.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill describes commands that send funds and release escrow but omits basic transactional safety guidance such as verifying recipient addresses, confirming amounts, and understanding irreversibility. In a financial workflow, that omission increases the chance of accidental loss, misdirection of funds, or social engineering-driven transfers by human users or autonomous agents.

Missing User Warnings

High
Confidence
99% confidence
Finding
The API key is interpolated into a shell command and passed via execSync, exposing the secret to shell parsing, process listings, logs, and potential command injection if the value contains shell metacharacters. Because this skill handles payments, compromise of the API key could enable unauthorized wallet operations or broader account abuse.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The tool persists recipient addresses, amounts, memos, and timestamps to disk without clear disclosure or access controls on that history file. In a payment context, this creates privacy and operational security risk because memos and counterparties may contain sensitive business or identity information that other local users or malware can harvest.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
Agent registration writes wallet addresses and optional descriptions to a local directory file without explicit disclosure or permission hardening. While local-only, this still exposes potentially sensitive financial identifiers and metadata in a payment-oriented skill, which may aid profiling or targeting if the host is shared or compromised.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The tool stores the Circle API key in plaintext JSON on disk and does not clearly warn the user during setup. Although file mode 0600 helps, local compromise, backups, logs, shared home directories, or accidental disclosure could expose a credential capable of controlling payment operations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code invokes an external subprocess using user-influenced input without disclosing that arbitrary shell parsing will occur. In this skill context, that is especially dangerous because users expect payment actions, not general command execution, so maliciously crafted inputs could execute host commands under the user's account.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal