ClawHub

Crow Payments

Security checks across malware telemetry and agentic risk

Overview

This CrowPay payment skill is mostly aligned with its stated purpose, but it needs review because it grants real spending authority while pushing broad activation, immediate setup, persistent credential storage, and extra skill installs.

Install only if you intentionally want an agent to use CrowPay for payments. Require explicit confirmation for wallet setup and each new merchant, store the API key only in a scoped secret manager or environment variable, avoid writing it into memory or notes, disable or tightly cap auto-approval, validate merchant/domain/amount/payee before paid calls, and do not install the suggested extra skills unless separately reviewed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (21)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to install software from a remote GitHub repository as part of normal operation, which expands capability beyond payment handling into package fetching and code installation. This creates an avoidable supply-chain and privilege-expansion risk, especially because the installation is framed as something to do immediately rather than only with explicit user approval.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The skill directs the agent to write an API key and behavioral instructions into persistent memory or files, which is broader than the stated payment task and can outlive the current user session. Persisting secrets alongside action-triggering instructions increases the chance of credential leakage, cross-session misuse, and unauthorized future payments triggered by unrelated interactions.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs installation of a separate Nightmarket skill unrelated to the minimum payment flow, unnecessarily broadening the agent's capabilities into service discovery and further remote code retrieval. That capability expansion increases the attack surface and can chain into additional unreviewed behaviors outside the user's immediate request.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger description is overly broad, covering generic concepts like buying anything on the internet and mentioning payment-related keywords even without naming the skill. This can cause the skill to activate in situations where payment authority or user consent is unclear, increasing the likelihood of unnecessary credential setup or payment-related actions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The 'When to Use' guidance is too general and omits meaningful scope limits or negative examples, encouraging invocation for broad purchasing scenarios. In a payment skill, ambiguous invocation is particularly risky because it can lead to wallet setup, transmission of payment metadata, or attempts to spend funds without sufficiently explicit user authorization.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This API reference documents endpoints that create wallets/API keys and authorize real payments, but it does not prominently warn that these actions create credentials and can trigger financial transactions. In an agent-skill context, missing safety guidance materially increases the risk that an agent or integrator invokes these endpoints without clear user consent or appropriate handling of secrets.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation shows a live-looking secret header (`X-API-Key: crow_sk_abc123...`) in executable curl examples without an explicit warning to use environment variables or redact credentials. In a payment skill, this can normalize hardcoding secrets into prompts, scripts, logs, or repositories, increasing the chance of API key leakage and unauthorized payment actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs forwarding the entire HTTP 402 response body from an external API to Crow without any privacy minimization or warning. While x402 payment metadata is often expected to be shared, the full body may include URLs, resource descriptions, query-linked identifiers, or merchant-supplied metadata that can expose user or business-sensitive information to a third party.

External Transmission

Medium
Category
Data Exfiltration
Content
Check spending rules and sign an EIP-3009 USDC payment authorization for x402 protocol.

```bash
curl -X POST https://api.crowpay.ai/authorize \
  -H "X-API-Key: crow_sk_..." \
  -H "Content-Type: application/json" \
  -d '{
Confidence
79% confidence
Finding
curl -X POST https://api.crowpay.ai/authorize \ -H "X-API-Key: crow_sk_..." \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
To retry the original request with payment:
```bash
PAYMENT=$(echo '{"x402Version":2,...}' | base64 -w0)
curl https://api.example.com/v1/endpoint \
  -H "payment-signature: $PAYMENT"
```
Confidence
73% confidence
Finding
curl https://api.example.com/v1/endpoint \ -H "payment-signature: $PAYMENT" ``` **202 Accepted — Pending human approval** ```json { "status": "pending", "approvalId": "abc123", "expiresAt": 1

External Transmission

Medium
Category
Data Exfiltration
Content
Check spending rules and sign an EIP-3009 USDC payment authorization for x402 protocol.

```bash
curl -X POST https://api.crowpay.ai/authorize \
  -H "X-API-Key: crow_sk_..." \
  -H "Content-Type: application/json" \
  -d '{
Confidence
79% confidence
Finding
https://api.crowpay.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
To retry the original request with payment:
```bash
PAYMENT=$(echo '{"x402Version":2,...}' | base64 -w0)
curl https://api.example.com/v1/endpoint \
  -H "payment-signature: $PAYMENT"
```
Confidence
73% confidence
Finding
https://api.example.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Request a credit card payment. Returns a Stripe Shared Payment Token.

```bash
curl -X POST https://api.crowpay.ai/authorize/card \
  -H "X-API-Key: crow_sk_..." \
  -H "Content-Type: application/json" \
  -d '{
Confidence
82% confidence
Finding
https://api.crowpay.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
Check wallet balance, spending rules, and daily spending. Returns all wallets and card payment methods for the authenticated user.

```bash
curl "https://api.crowpay.ai/status" \
  -H "X-API-Key: crow_sk_..."
```
Confidence
69% confidence
Finding
https://api.crowpay.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
Pass the **entire 402 response body** as `paymentRequired`, and add a clear `merchant` name and `reason`:

```bash
curl -X POST https://api.crowpay.ai/authorize \
  -H "X-API-Key: crow_sk_abc123..." \
  -H "Content-Type: application/json" \
  -d '{
Confidence
87% confidence
Finding
https://api.crowpay.ai/

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
### Responses

**200 OK — Auto-approved**

The signed payment payload. Use this to retry the original request.
Confidence
92% confidence
Finding
Auto-approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
2. Merchant blacklist
3. Merchant whitelist (if configured)
4. Daily spending limit
5. Auto-approve threshold (above threshold → 202 pending)

---
Confidence
90% confidence
Finding
Auto-approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
|------|---------|
| Daily limit | $50 |
| Per-transaction limit | $25 |
| Auto-approve threshold | $5 |

---
Confidence
89% confidence
Finding
Auto-approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
|------|---------|
| Daily limit | $50 (5000 cents) |
| Per-transaction limit | $25 (2500 cents) |
| Auto-approve threshold | $5 (500 cents) |

Owners can customize all limits in the dashboard under the "Rules" tab.
Confidence
72% confidence
Finding
Auto-approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
The wallet owner sees the `merchant` and `reason` when approving, so make them descriptive.

## Step 3a: If 200 — Auto-approved

Crow checked spending rules and $0.50 is within the auto-approve threshold. You get a signed payment payload:
Confidence
86% confidence
Finding
Auto-approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- USDC contract: `0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913`
- Crow signs EIP-3009 `TransferWithAuthorization` — the facilitator settles on-chain
- The wallet's private key never leaves Crow's server
- Default auto-approve threshold is $5 — owner can change this in dashboard
Confidence
84% confidence
Finding
auto-approve

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal