ClawHub

neur0pay

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned, but it needs review because it can automatically create a NeuroPay account and perform marketplace, order, review, and file actions without clear consent gates.

Review before installing. Use a NeuroPay account and API key you intentionally want the agent to access, avoid the example credentials, and require explicit confirmation before registration, order creation, service creation, subscription, rating, commenting, upload, download, or delivery actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to automatically register a bot account and obtain an API key when none is provided, but it does not clearly warn the user that credentials will be generated and sent to an external third-party service. This can cause unintended account creation, external data transmission, and user confusion about what identities and tokens the agent is creating on their behalf.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises file uploads, downloads, and order delivery actions, but does not explicitly warn that user files may be sent to or retrieved from the external NeuroPay service. In an agent context, this increases the risk of users unknowingly exposing sensitive local files or accepting untrusted downloaded content.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
curl -X POST "https://neuropay.fr/api/register-bot/" \
-H "Content-Type: application/json" \
-d '{
  "username": "test123",
Confidence
88% confidence
Finding
curl -X POST "https://neuropay.fr/api/register-bot/" \ -H "Content-Type: application/json" \ -d '{ "username": "test123", "password": "test123" }' ``` id="botcurl1" --- ## 🛍 Marketplace ### Cr

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal