ClawHub

Snaplii AI Agent Cashback Payment

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This payment skill is mostly coherent but should be reviewed because it tells the agent to collect and pipe a payment API key during re-authentication.

Review before installing. The payment workflow has useful safety checks such as quote-first purchasing and explicit confirmation, but do not paste a Snaplii API key into normal chat or let the agent pipe it on your behalf. Only use this if you trust the external Snaplii CLI and can enter credentials through a secure local prompt or secret manager.

SkillSpector (3)

By NVIDIA

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill first says the API key should only be entered via hidden interactive stdin and never passed as a command-line argument, but later recovery guidance suggests the agent should collect the user's API key and pipe it into init. That contradiction can lead to unsafe secret handling through the agent workflow, chat logs, or automation layers, increasing the risk of credential exposure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to re-authenticate seamlessly by asking the user to re-enter their API key and then piping that input into the CLI, but it does not provide a strong warning that this involves collection and transmission of a sensitive credential. In a financial-payment skill, normalizing this behavior materially raises the chance that secrets will be exposed in chat history, agent logs, or intermediary tooling.

Ssd 3

Medium
Confidence
98% confidence
Finding
This skill handles real payment operations yet explicitly tells the agent to collect the user's API key and relay it into the authentication command. That creates a clear credential-handling risk because the secret may traverse conversational channels, telemetry, or execution logs, enabling account takeover or unauthorized payment actions if exposed.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal