ClawHub

x402 Paywall

Security checks across malware telemetry and agentic risk

Overview

This payment skill is mostly coherent, but it needs review because it can move real funds while its advertised payment verification is too weak to enforce the paywall safely.

Review before installing. Use only a dedicated low-balance wallet, strict max_price limits, trusted endpoints, and protected key storage. Do not rely on this as a production paywall until payment verification checks the actual USDC transfer details and replay records are durable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill claims strong on-chain payment verification and a simple wrapper role, but the described behavior expands into automated payment sending, standalone ledgering/analytics, subscription management, and possibly only simplified transaction-success checks. This mismatch is dangerous because operators may trust the advertised security model while deploying a system that can move funds and make authorization decisions on incomplete verification, enabling underpayment, replay, or false acceptance of payments.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The module can export full payment records, including payer identifiers and transaction metadata, to an arbitrary filesystem path with no access control, path restrictions, or sensitivity checks. In an agent environment, this increases the risk of unintended data disclosure or writing sensitive financial history to insecure or attacker-influenced locations.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The verifier treats any successful transaction receipt as proof of payment and does not validate that the transaction interacted with the USDC contract, transferred funds to the expected recipient, or matched the required amount/sender. An attacker can satisfy the paywall with any unrelated successful transaction hash on the same chain, bypassing pricing enforcement entirely.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The code instantiates a ledger and claims to track payments and revenue, but successful verifications never call Ledger.record. This creates a mismatch between security/business logic and observability, enabling silent undercounting, broken subscription or audit workflows, and weak fraud detection.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The client example says payment is handled automatically and includes a wallet private key, but it does not present a strong warning that invoking the helper may broadcast real on-chain transactions and spend funds. In agentic or automated environments, this can lead to unintended monetary loss if a model, script, or user triggers paid calls without explicit approval and transaction review.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The CSV export persists detailed payer transaction history to disk without any warning, minimization, or consent mechanism, which can leak financial activity and wallet-linked metadata. This is more concerning in the stated agent-payment context because payer histories may be sensitive operational and commercial data, and agents may invoke tools non-interactively.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The client automatically sends on-chain payment after receiving a 402 response, with no explicit user confirmation or strong policy gate beyond a max_price threshold. In an agent setting, this can cause unintended token transfers to attacker-controlled endpoints or misleading paywalls, especially if the caller delegates network actions to the skill automatically.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal