ClawHub

Cli

Security checks across malware telemetry and agentic risk

Overview

This skill matches its payment-dispute purpose, but it asks for wallet authority and performs financial/network actions with under-disclosed safeguards.

Review this before installing. Use only a dedicated low-balance test wallet, avoid pasting production private keys into shell commands, verify the exact npm package/version being run, and do not submit private evidence unless you are comfortable with it being sent to the configured services and possibly becoming public or hard to remove.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (23)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill invokes CLI operations that inherently use network access and can read/write local state, yet it declares no permissions or capability expectations. This reduces transparency for operators and agents, making it easier to run a skill that can contact external services and persist sensitive payment state without informed consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The declared description focuses on paying merchants and filing disputes, but the documented behavior extends to handling sensitive configuration, exposing evidence, contacting arbiter and replay APIs, and potentially interacting with third-party services like IPFS pinning. This mismatch can mislead users about the true data exposure and external interactions, increasing the risk of accidental key disclosure, privacy loss, or unintended network actions.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The command silently transmits payment metadata to a remote arbiter endpoint after completing the merchant payment, even though that network transfer is not essential to the core pay action. This creates an information disclosure risk because payer/receiver/token/amount and timing metadata are exposed to a third party without an explicit opt-in, and users may reasonably believe the tool only contacts the merchant and local state file.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The surrounding comments and flow suggest payment state is saved locally for dispute handling, but the code also posts payment information to a remote arbiter service. This mismatch is security-relevant because misleading documentation reduces informed consent and can cause users to expose payment metadata they did not expect to leave the machine.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
This module transmits dispute-related JSON to a third-party pinning service and stores it on IPFS, which is external storage/network behavior not clearly reflected in the skill description. In a payments/disputes context, the pinned data may contain evidence or sensitive transaction details, so undisclosed exfiltration to an external permanence-oriented service increases privacy, compliance, and data handling risk.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The command silently performs an additional POST to a configured arbiter service containing full payment metadata after completing the merchant payment. This is a real security/privacy issue because users invoking a pay command would not reasonably expect their payment details to be transmitted to a third-party service, and the upload occurs without explicit consent, visibility, or an opt-in control.

Intent-Code Divergence

Low
Confidence
91% confidence
Finding
The implementation uploads detailed payment information for dashboard lookups, but this behavior is not surfaced in the command description or user-facing flow. Even if the data is not secret in a strict cryptographic sense, undisclosed network exfiltration of transaction metadata undermines user consent and can leak sensitive operational or financial context to infrastructure the user did not intend to contact.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The command introduces an external network interaction that sends paymentInfo and nonce to a configurable court UI service, but this capability is not reflected in the skill's stated payment/dispute scope. That mismatch can mislead operators about data flows and trust boundaries, increasing the risk of unintended disclosure to an arbitrary endpoint supplied by config or CLI.

Intent-Code Divergence

Low
Confidence
81% confidence
Finding
The module comment frames the feature as an 'independent verifier,' but the implementation relies on a remote court-ui endpoint to perform the verification. This documentation/behavior mismatch can cause users to assume local or trust-minimized verification when sensitive dispute data is actually posted to an external service, weakening informed consent and security review.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The code documents Pinata JWT as required for production use, yet silently returns a hardcoded placeholder CID when pinning fails or is unconfigured. This can cause the system to believe evidence was successfully stored when it was not, undermining dispute integrity, auditability, and potentially causing users to submit invalid or unverifiable dispute references.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The state model includes an optional `merchantPrivateKey`, and `savePaymentState` serializes the entire state object to `~/.x402r/last-payment.json` without excluding or protecting that field. Persisting a private key in plaintext on disk is highly sensitive because local compromise, backups, logs, or other users/processes may expose the key and enable unauthorized signing or fund theft.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The setup command instructs users to provide a raw private key directly on the command line without any warning about exposure through shell history, process listings, logs, or screenshots. Because this skill performs blockchain payment actions, compromise of that key can lead to wallet takeover and irreversible asset loss.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes payment and dispute flows but does not warn that these actions create on-chain state, consume gas, and may have irreversible financial or evidentiary consequences. In a web3 payment context, omitting those warnings makes accidental execution materially more dangerous because users may trigger real transactions or publish dispute evidence without understanding permanence and cost.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The command automatically uploads dispute evidence to IPFS, which is a third-party content-addressed storage network, without an explicit warning or confirmation that the supplied reason, evidence text, payer/receiver addresses, and attached file contents may become publicly accessible or widely retrievable. In a payments/dispute workflow this can expose sensitive financial or personal information and may create irreversible privacy leakage because users may assume the evidence is only being sent to the protocol or arbiter.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Payment metadata is sent to the arbiter service with no explicit warning, confirmation, or prior consent. In a payments/disputes tool, that context makes the issue more sensitive because transaction metadata can reveal financial relationships, counterparties, and amounts, enabling privacy loss or correlation if the arbiter is compromised or logs are retained.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The interface and comments indicate the CLI loads and saves highly sensitive values such as a private key and Pinata JWT from ~/.x402r/config.json, .env, and environment variables, but there is no warning here about secure storage, filesystem permissions, or the risks of persisting secrets locally. In a payment/dispute skill, storing a blockchain private key locally increases the chance of credential theft through local compromise, backups, logs, or accidental file exposure, which could lead to unauthorized transactions or account takeover.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The declared persisted payment state includes an optional merchantPrivateKey and the file comment indicates state is saved under ~/.x402r/, which strongly suggests sensitive key material may be written to local disk. Storing private keys in plaintext local state materially increases the risk of credential theft from malware, other local users, backups, logs, or accidental disclosure, especially in a payment/dispute tool where the key can authorize financial actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This command accepts highly sensitive secrets such as a private key and JWT directly via CLI arguments, which can be exposed through shell history, process listings, terminal logging, or CI job output. In a payments/disputes CLI, this is especially risky because compromise of the private key could allow unauthorized payment actions or fraudulent dispute activity.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The command automatically uploads dispute evidence containing reason text, timestamps, payer/receiver addresses, and optional attachments to IPFS without an explicit warning or confirmation that the data may become publicly accessible and effectively permanent. In a payments/dispute workflow, users are likely to include sensitive financial or personal information, so this omission creates a realistic privacy and data-exposure risk rather than a purely theoretical concern.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The CLI persists sensitive values such as privateKey and pinataJwt to ~/.x402r/config.json without any warning, consent flow, or file-permission hardening. On multi-user systems, shared environments, backups, or malware-compromised hosts, plaintext credential storage increases the chance of secret disclosure and downstream account compromise.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
`savePaymentState` writes sensitive payment state directly to a predictable file under the user's home directory and does so silently, without warning the user that confidential material may be retained locally. In the context of a payment/dispute skill, undisclosed persistence increases the chance that credentials or transaction metadata remain accessible to malware, shared accounts, backups, or forensic recovery.

External Transmission

Medium
Category
Data Exfiltration
Content
if (config.pinataJwt) {
        console.log("  Pinning to IPFS via Pinata...");
        try {
            const response = await fetch("https://api.pinata.cloud/pinning/pinJSONToIPFS", {
                method: "POST",
                headers: {
                    "Content-Type": "application/json",
Confidence
86% confidence
Finding
fetch("https://api.pinata.cloud/pinning/pinJSONToIPFS", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
if (config.pinataJwt) {
        console.log("  Pinning to IPFS via Pinata...");
        try {
            const response = await fetch("https://api.pinata.cloud/pinning/pinJSONToIPFS", {
                method: "POST",
                headers: {
                    "Content-Type": "application/json",
Confidence
86% confidence
Finding
https://api.pinata.cloud/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal