Security audit

my-pay

Security checks across malware telemetry and agentic risk

Overview

This payment skill is not clearly malicious, but it can submit real payments using wallet-signing credentials without a required final user approval step.

Review carefully before installing. Use only with a trusted mypay-bot package, a low-balance or scoped wallet, and credentials you can revoke. Require the agent to show the exact amount, recipient or merchant, currency, fees, source wallet, and payment link, then get an explicit yes/no confirmation immediately before any submit-payment command. Do not paste or expose full payment URLs if they contain tokens, signatures, hashes, or other secret-bearing parameters.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Vague Triggers

High

Confidence: 94% confidence
Finding: The trigger criteria are extremely broad and include generic commerce and transaction language, plus activation even when the user does not explicitly request payment. In a high-risk financial context, this can cause the skill to engage in payment workflows for ambiguous intents, increasing the chance of unintended money movement.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The workflow proceeds from wallet check directly to payment submission without an explicit confirmation gate immediately before executing the transaction. Because payments may be irreversible, omission of a mandatory human confirmation step can lead to accidental or unauthorized transfers with direct financial loss.

Ssd 3

High

Confidence: 99% confidence
Finding: The instruction to copy URLs exactly, including query parameters, tokens, and hashes, creates a direct path for secret leakage if the CLI emits signed links, session tokens, wallet references, or one-time payment URLs. In a payment skill, exposing such material to the user chat or transcript can enable replay, account misuse, or unintended disclosure to anyone with access to the conversation.

Unbounded Output

Medium

Category: Output Handling
Content: - **Preserve all links and images exactly**: Every URL, link, and image reference that appears in the output of any mypay-bot command MUST be copied in full — character for character, with no truncation, no summarization, no reformatting. This includes query parameters, tokens, hashes, and any other URL components. Display them to the user exactly as received. - **Follow the step order strictly**: Step 0 -> Step 1 -> Step 2. Do not skip or reorder.
Confidence: 88% confidence
Finding: no truncation

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.