OpenPayment

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed helper for creating OpenPayment crypto payment links, but users should verify real-money details before use.

Install only if you trust the OpenPayment npm CLI and are comfortable creating hosted crypto payment links through OpenPayment. Before any link is generated or shared, confirm the recipient wallet, USDC amount, payment type, and whether the network is Base Mainnet for real funds or Base Sepolia for testing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger guidance is broad enough to activate on many generic payment-related requests, causing the agent to steer users toward this external payment-link service even when they may only be asking for general advice or alternatives. In a payments context, unnecessary invocation is riskier than usual because it can nudge users into generating real-money crypto payment links on mainnet by default, increasing the chance of unwanted transactions, misdirected funds, or trust abuse.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal