ClawHub

Mcp Server

Security checks across malware telemetry and agentic risk

Overview

This Play-Asia skill is not malware, but it can let an AI spend wallet funds, retrieve purchased digital codes, and send support messages while some capability labels and safety disclosures are inconsistent.

Install only if you are comfortable letting the agent interact with your Play-Asia account. Prefer an info-only PA_TOKEN for browsing and order lookup, use purchase scope only when needed, set daily or weekly spending limits, and require your own explicit confirmation before wallet purchases, Lightning payments, digital-code reveal, or sending support messages and attachments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (19)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill is presented as focused on digital-code purchasing, but the documented order-detail endpoint also includes shipping tracking and physical-order metadata. This broadens the accessible data surface beyond the stated scope and can expose sensitive order and delivery information to an agent or workflow that expected only digital purchases.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill includes generic Bitcoin and Lightning utilities such as transaction broadcast, route queries, and address validation that are not necessary for buying Play-Asia products. Unrelated financial/network tooling expands the attack surface and could let an agent perform unintended cryptocurrency operations under the guise of a commerce skill.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
Marking the manifest as discovery-only while documenting purchases, wallet top-ups, support actions, and Lightning channel creation is a serious safety signaling failure. Systems that trust the discovery-only label may expose or cache the skill in contexts where destructive or financial actions should be blocked.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The document explicitly claims it does not perform purchases or access user data, but later documents authenticated purchase, wallet, order, and customer-service endpoints. This contradiction can mislead users and automated reviewers into trusting a skill that can handle sensitive account data and initiate financial transactions.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Customer-service ticket management is outside the narrowly stated purpose of searching and buying digital codes, yet it enables reading and writing support communications tied to a user account. That broadens access to potentially sensitive personal/order information and introduces unnecessary state-changing capability.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Opening Lightning channels is a specialized financial/network action unrelated to routine product search or voucher purchase. Including it in this skill unnecessarily enlarges the attack surface and could lead users or agents into irreversible or costly blockchain-related operations they did not intend.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill exposes customer-support ticket operations (submit, read, reply, close) that are not described in the stated shopping/purchasing scope. In an agent context, this expands authority from commerce into account-support actions, increasing the chance of unintended or socially engineered interactions with support using the user's authenticated token.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill exposes wallet balance, transactions, orders, and order-detail retrieval beyond the description of searching and buying digital products. This creates a scope mismatch that can leak sensitive account/order data or enable broader account actions than a user would reasonably expect when authorizing a shopping skill.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill metadata says it searches and buys digital codes/vouchers, but this file also exposes customer-service ticket submission, reading, replying, and closing operations. That scope expansion enables access to potentially sensitive support conversations and lets an agent perform actions the user may not expect from a purchasing skill, increasing the risk of unauthorized data access or unintended account-side effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README documents multiple purchase-capable tools (`buy_digital_product`, `buy_with_wallet`) and even provides step-by-step spending flows, but it does not require an explicit user confirmation step before funds are committed. In an agentic context, this can enable unintended autonomous purchases using wallet balance, Lightning, or Bitcoin, especially if the agent is prompted to 'complete checkout' or is given access to payment credentials.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly enables purchases, order retrieval, digital code access, and customer service actions tied to a user account or payment flow, but it does not present any explicit requirement for user confirmation before spending funds or transmitting potentially sensitive account/order data. In an agent setting, this creates a real risk of unauthorized purchases, disclosure of digital goods, or unintended submission of support messages/attachments if the agent acts on ambiguous prompts or is prompt-injected by other content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The purchase endpoint documentation describes a wallet-funded buy flow but does not clearly warn that invoking it spends stored funds and immediately delivers redeemable digital goods. In an agent setting, insufficient disclosure increases the risk of unintended purchases and irreversible spending caused by prompt confusion or automation mistakes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The order-detail endpoint can return purchased digital codes, image-based code payloads, and order metadata, but the documentation does not flag this as sensitive content. Exposing redeemed or unredeemed codes to an agent, logs, or downstream tools can directly leak valuable credentials-like secrets and order information.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The customer service submission flow sends free-form text and base64 attachments to an external service, but the documentation lacks a clear disclosure of that data transfer. In agent workflows, users may unknowingly provide personal data, screenshots, or secrets that get transmitted off-platform without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Lightning purchase flow documents paying an invoice to receive a digital product but does not explicitly warn that payment completes a purchase and may be irreversible. Because Lightning payments are typically final, an agent could cause unintended loss of funds and delivery of redeemable goods with little opportunity for recovery.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explains how to perform purchases and wallet top-ups but lacks a clear, prominent warning that these are financial and potentially irreversible actions. In agent settings, missing consent and risk language increases the chance of accidental purchases, unwanted wallet funding, or unsafe automation of payment flows.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
submitEnquiry forwards arbitrary subject, message, reference, and optional attachments to customer service with no visible user-warning, consent checkpoint, or attachment validation in this file. In an agent setting, this can cause unintended disclosure of sensitive personal, financial, or account data to a third party, especially because attachments may contain highly sensitive documents.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
buyWithWallet performs an immediate state-changing purchase using stored wallet funds from only a provided product identifier, with no visible confirmation, preview, or anti-misuse guard in this file. In an autonomous or semi-autonomous agent context, that creates a real risk of accidental or prompt-induced unauthorized spending.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The purchase function directly initiates a paid digital-goods purchase flow and returns payment instructions without any built-in confirmation, user-consent checkpoint, or warning that invoking the tool can cause real monetary loss. In an agent setting, this makes accidental or prompt-manipulated purchases much more likely, especially because the skill is explicitly designed for buying real products and supports instant payment methods.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal