ClawHub

RedotPay Payment Skill for MPP

Security checks across malware telemetry and agentic risk

Overview

The skill appears to enable paid RedotPay CLI requests from broad discovery-style prompts, with unclear guardrails around payment/session checks and persistent PATH setup.

Install only if you intend to let the agent use RedotPay for paid external requests. Before use, confirm each `redotpay request` manually, verify the CLI binary source, avoid broad auto-invocation, and consider removing the `~/.local/bin/redotpay` symlink when not needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The skill contains contradictory security-critical workflow rules about when to run `redotpay wallet whoami`: one section forbids it during Steps 1–3, while later sections make `whoami` mandatory for readiness/preflight and say readiness should come only from `whoami`. Conflicting instructions in an agent skill can cause inconsistent execution paths, including premature login checks or skipped preflight checks before chargeable requests, which increases the chance of unsafe payment behavior.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is presented as a discovery/query-only capability, but its documented workflow explicitly authorizes `redotpay request` calls to arbitrary service endpoints and acknowledges paid requests. That mismatch is dangerous because users or higher-level policy may permit the skill under the assumption that it only searches/list services, while in practice it can initiate network actions that may spend funds or transmit user data to third-party endpoints.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad enough that ordinary user messages mentioning RedotPay and common verbs like "find," "search," or "request" could activate the skill unexpectedly. In this context, accidental activation is more dangerous because the skill can progress from discovery into login and paid request workflows, potentially causing unintended external calls or payment-related prompts.

Session Persistence

Medium
Category
Rogue Agent
Content
### Link to Gateway PATH

`~/.local/bin` is guaranteed to be in the OpenClaw Gateway launchd PATH. If `redotpay` is installed under `~/.redotpay/bin/` but not found, create the symlink:

```bash
ln -sf ~/.redotpay/bin/redotpay ~/.local/bin/redotpay
Confidence
80% confidence
Finding
launchd PATH. If `redotpay` is install

Session Persistence

Medium
Category
Rogue Agent
Content
### Link to Gateway PATH

`~/.local/bin` is guaranteed to be in the OpenClaw Gateway launchd PATH. If `redotpay` is installed under `~/.redotpay/bin/` but not found, create the symlink:

```bash
ln -sf ~/.redotpay/bin/redotpay ~/.local/bin/redotpay
Confidence
80% confidence
Finding
create the symlink: ```bash ln -sf ~/.redotpay/bin/redotpay ~/.local/bin/redotpay ``` > **Why:** Gateway runs via launchd and does not source `.zshrc` / `.bashrc`. Non-standard PATH directories like

Session Persistence

Medium
Category
Rogue Agent
Content
1. Run `command -v redotpay` in terminal — if found, note the path (typically `~/.redotpay/bin/redotpay`)
2. Check if that directory is in the Gateway launchd PATH: inspect `~/Library/LaunchAgents/ai.openclaw.gateway.plist` → `EnvironmentVariables` → `PATH`
3. If missing, create symlink: `ln -sf ~/.redotpay/bin/redotpay ~/.local/bin/redotpay`
4. Restart Gateway: `openclaw gateway restart`
5. `command -v redotpay` should now succeed in the Gateway context
Confidence
82% confidence
Finding
create symlink: `ln -sf ~/.redotpay/bin/redotpay ~/.local

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal