ClawHub

ROZO Intents Pay & Bridge

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed crypto payment helper that contacts Rozo and Stellar services for balances, payment setup, and status checks, with no evidence of hidden credential theft or automatic fund transfer.

Install only if you are comfortable using Rozo-operated services for crypto payment workflows. Expect wallet addresses, balances, transaction hashes, QR payment contents, and payment setup details to be sent to external APIs, and verify chain, token, amount, recipient, memo, fee, and total before confirming any payment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill explicitly states it makes outbound network calls to public Rozo endpoints, but the finding indicates those network capabilities are not declared in permissions. Undeclared network access weakens platform trust boundaries and informed consent because the skill can transmit wallet addresses, payment identifiers, and related metadata to external services without a clear permission model.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
This is a real security issue because the documented behavior does not match the effective capability surface of a payment skill. In a crypto-transfer context, undocumented support for additional chains/assets/URI types, missing fee retrieval, and the absence of an explicit confirmation step can cause users or the host agent to initiate transfers under false assumptions, increasing the risk of misrouting funds, privacy leakage, or unintended payment execution.

Description-Behavior Mismatch

Low
Confidence
88% confidence
Finding
The reference file instructs the agent to treat Arbitrum and Polygon as valid payout chains even though the skill metadata only claims support for Ethereum, Base, BNB Chain, Solana, and Stellar. This inconsistency can cause the agent to route funds or user workflows to unsupported networks, leading to failed transfers, asset loss through user error, or bypass of intended product safeguards.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The parser explicitly accepts EIP-681 chain IDs for Arbitrum and Polygon even though the skill metadata says supported payment networks are Ethereum, Base, BNB Chain, Solana, and Stellar. In a payment skill, widening accepted QR/network scope can cause users or downstream logic to route funds on unsupported chains, leading to failed payments, asset loss through wrong-network transfers, or bypass of intended product restrictions.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The EIP-681 handler returns generic native-transfer URIs with a value field and no stablecoin restriction, despite the skill being described as a USDC/USDT cross-chain payment tool. In this context, recognizing broader asset types is dangerous because a QR code could steer the workflow into handling native ETH or arbitrary tokens, creating mismatches with user expectations, unsupported-asset flows, and possible unintended transfers.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The parser explicitly recognizes chains and tokens outside the skill's declared payment scope, including Arbitrum, Polygon, and generic Stellar asset codes. In a payment skill, accepting out-of-scope destinations or assets can cause misrouting, unsupported payment attempts, or downstream logic acting on unvalidated QR data, especially if later components assume the parser only emits supported USDC/USDT rails.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
The EIP-681 parser accepts generic native-token transfer requests by returning parsed data even when no supported stablecoin token is identified. Because the skill is intended for USDC/USDT payments, this broadens behavior beyond the declared trust boundary and may lead users or downstream automation to process ETH/BNB-like native transfers unintentionally.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are overly broad for a high-risk financial skill and can match ordinary conversation such as 'send', 'pay', or 'transfer'. In this context, accidental invocation is dangerous because it may lead the agent to collect wallet data, parse QR codes, query balances, or begin payment flows when the user did not intend to use an external crypto-payment service.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill says the APIs are public and unauthenticated but does not clearly warn users that wallet addresses, balances, transaction hashes, QR contents, and payment metadata will be sent to external Rozo endpoints. For a crypto-payment skill, that omission is meaningful because blockchain identifiers are sensitive financial metadata and sharing them can reveal holdings, relationships, and payment activity.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explicitly states that authentication is not required and all endpoints are public, including payment creation with arbitrary destination details and an optional webhook URL. In a payment skill, this is dangerous because integrators may submit sensitive payment metadata or trust callback URLs without realizing they are interacting with an unauthenticated public service that can be abused for spoofed payment creation, data harvesting, SSRF-style webhook misuse, or operational abuse despite rate limits.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The function sends sensitive payment metadata, including destination address, chain/token selections, amounts, memo, and app/order identifiers, to an external Rozo API endpoint without any visible in-code disclosure, consent mechanism, or minimization controls. In a payments skill, this can expose financial intent and recipient information to a third party, creating privacy, compliance, and user-trust risks even if the transfer service is legitimate.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The function transmits sensitive payment metadata, including destination wallet address, token, chain, amount, and optional memo, to an external Rozo API endpoint via fetch(). In a payment skill this data transfer may be operationally necessary, but the code provides no user-facing disclosure, consent checkpoint, or minimization of exposed fields, which creates a privacy and trust risk if users are unaware their payment details are being sent off-platform.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad enough to match common wallet-related requests without tightly constraining that the skill will contact an external payment/balance service. That increases the chance of unintended invocation on sensitive financial conversations, causing wallet addresses or balance lookups to be routed to this skill when the user may not expect it.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to send the user's wallet address to the Rozo balance API but does not disclose that external data transfer to the user. Wallet addresses are sensitive financial identifiers, and undisclosed sharing can violate user expectations, privacy requirements, or organizational data-handling policies.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill instructs the agent to read QR code content from user-shared screenshots, which can expose sensitive payment information such as wallet addresses, amounts, memos, or other embedded metadata, yet it provides no user-facing privacy notice or guidance on minimizing data handling. In a financial workflow, screenshots may also contain unrelated sensitive visual information, increasing the risk of over-collection and accidental disclosure.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill says to offer proceeding with payment when a full payment request is parsed, but it does not require a strong user-facing verification step for recipient address, chain, token, and amount before handing off to payment execution. Because crypto transfers are irreversible, malformed or malicious QR payloads could cause users to send funds to the wrong address or on the wrong chain with little chance of recovery.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The description includes broad natural-language triggers such as "check payment", "payment status", and "where is my payment", which can overlap with ordinary conversation and cause the skill to activate when the user did not clearly intend a Rozo-specific payment lookup. In a payments skill, over-triggering is riskier than usual because it may route sensitive transaction hashes, wallet addresses, or payment identifiers into a financial workflow unexpectedly.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill description uses broad payment-related trigger phrases and also indicates activation on wallet addresses and QR/payment-like content, which can cause the payment workflow to engage on ambiguous user inputs. In a high-risk financial skill, unintended invocation increases the chance of misrouting a conversation into a funds-transfer flow, especially when combined with auto-detection and auto-selection behavior.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal