ClawHub
Back to skill

Security audit

ai-payment-token

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it claims, but it needs review because it can overwrite local .env files and expose API keys or request data in logs.

Review before installing. Back up any existing .env file, set AICADE_GALAXY_BASE_URL explicitly to the intended host, keep AICADE_GALAXY_DEBUG disabled around real keys or sensitive payloads, and inspect generated artifacts before invoking tools from them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill instructs the agent to access environment variables, read and write local files, and make authenticated network requests, yet it declares no permissions. This creates a transparency and consent problem: a user or host may not realize the skill can export artifacts, handle API keys, and send outbound requests to live services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented purpose emphasizes configuration, export, and validation, but the skill also directs invocation of live tools using artifact metadata and API-key-authenticated requests. That mismatch can cause users or platform policy checks to underestimate that the skill can actively execute remote operations against discovered endpoints.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
When debug mode is enabled, the script logs the full request headers, including the X-API-Key secret. This can expose credentials in terminal output, CI logs, or shared debugging artifacts, enabling unauthorized access to the Galaxy admin services endpoint.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Several triggers such as 'ai payments', 'api payment', and 'make money with ai' are broad enough to match normal conversation unrelated to this specific gateway skill. Overbroad activation increases the chance the skill is invoked in the wrong context, leading to unnecessary credential handling, file operations, or network access.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explains use of an API key and exporting gateway service metadata, but does not prominently warn that credentials will be read from the environment and that outbound requests may send user-provided data to remote services. This weakens informed consent and increases the chance of accidental credential exposure or unintended data transmission.

Missing User Warnings

High
Confidence
99% confidence
Finding
When debug mode is enabled, the script logs the full outbound request headers, including the X-API-Key value. This directly exposes a live credential to console output, CI logs, shell history capture, or centralized log systems, allowing anyone with log access to reuse the key against the AICADE Galaxy admin endpoint.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The debug payload explicitly includes the full headers object, which contains the complete X-API-Key value with no masking. Anyone with access to logs can reuse that key to query protected administrative service-discovery endpoints and potentially other API operations that trust the same credential.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script prints `Invoking tool:` along with the full user-supplied payload to stdout before making the request. In this skill context, payloads may contain API inputs, identifiers, prompts, or other sensitive business/payment data, and stdout is commonly captured by terminals, CI logs, shell history wrappers, or agent telemetry, causing unintended disclosure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
When `AICADE_GALAXY_DEBUG=true`, the code logs the full input payload and full output result, which can expose sensitive request contents and returned data. Because this skill is designed for service configuration, monetization, and authenticated gateway usage, responses may include commercially sensitive or user-sensitive data, making verbose debug logs risky if collected centrally or shared.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When AICADE_GALAXY_DEBUG=true, the script logs the full request payload and full tool response to stdout. These values may contain sensitive user inputs, returned secrets, tokens, financial/payment data, or personal data, creating a clear confidentiality risk through terminal history, CI logs, or agent transcripts. In this skill context, which explicitly handles API keys, monetization, and gateway services, the chance of sensitive data appearing in debug output is elevated.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.