ClawHub

clawtip-pre-verify

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Clawtip payment utility, but it can submit payment requests using a locally stored payment token without a clearly enforced confirmation gate.

Install only if you trust this Clawtip/JD payment flow and the third-party skills that may call it. Require a manual confirmation of recipient, amount, and purpose before every payment, restrict `configs/config.json` to owner-only access, and avoid shared or multi-user machines unless the token is protected outside this skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The wallet-view trigger examples include broad phrases like '查看钱包' and '打开clawtip钱包', which can overlap with ordinary conversation and cause unintended invocation. In a payment-related skill, accidental triggering is more sensitive because it can reveal financial links or shift the conversation into a payment flow without sufficiently specific user intent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The token-creation path accepts open-ended input patterns like '创建token xxx' without defining validation constraints for the token value or proving user authorization. Because the skill also has credential.write capability and persists token material locally, ambiguous triggering or unvalidated token input could let a caller plant or overwrite credential state.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
A token returned by the remote API is persisted in plaintext to configs/config.json, creating a local secret-at-rest exposure. Any local user, co-tenant process, backup system, or malware with filesystem access could recover the token and potentially access or impersonate the user's clawtip account context.

Missing User Warnings

High
Confidence
97% confidence
Finding
The function submits a real payment request directly to the payment API without any in-function user confirmation, review step, or anti-abuse guard. In an agent-skill context, that makes accidental, spoofed, or prompt-induced payment initiation materially more dangerous because the code performs an externally effective financial action immediately.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code reads a sensitive local token (`u`) from plaintext config and then uses it as device/authorization material for remote payment-related requests. In this skill context, that is dangerous because it silently consumes a locally stored credential for a high-risk financial operation, increasing the chance of credential misuse, exfiltration, or unauthorized payment flows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The library persists an `aksKey` value in localStorage or applet storage and protects it with hardcoded client-side SM4 key and IV values embedded in the bundle. Because those protection values are recoverable by anyone with access to the code or runtime, the stored key material is effectively only obfuscated, not securely protected, so a local attacker or XSS-capable script could recover it and decrypt or forge protected payloads.

Excessive Permissions

Low
Category
Privilege Escalation
Content
>
   > The `u` is stored in local. Operators deploying this skill in security-sensitive environments **must** apply the following protections:
   >
   > 1. **File permissions:** `chmod 600 configs/config.json` — restrict to owner-only read/write.
   > 2. **Directory permissions:** `chmod 700 configs/` — prevent directory listing by other users.
   > 3. **Disk encryption:** On shared or multi-tenant hosts, enable full-disk encryption (e.g., FileVault on macOS, LUKS on Linux).
   >
Confidence
78% confidence
Finding
permissions:*

Excessive Permissions

Low
Category
Privilege Escalation
Content
> The `u` is stored in local. Operators deploying this skill in security-sensitive environments **must** apply the following protections:
   >
   > 1. **File permissions:** `chmod 600 configs/config.json` — restrict to owner-only read/write.
   > 2. **Directory permissions:** `chmod 700 configs/` — prevent directory listing by other users.
   > 3. **Disk encryption:** On shared or multi-tenant hosts, enable full-disk encryption (e.g., FileVault on macOS, LUKS on Linux).
   >
   > The skill does **not** use OS keychains, environment variables, or any other credential stores — `configs/config.json` is the sole persistence point.
Confidence
78% confidence
Finding
permissions:*

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal