ShowMeTheMoney Pro

Name: showmethemoney-pro
Author: bubblevan

View on ClawHub↗

Share on X Share on LinkedIn Share on Bluesky

100Critical

This skill enables an attacker-

ThreatsCI SM CS BC S HITL

Behavior Analysis

Description verified — behavior matches claim

Claims to do

ShowMeTheMoney Pro: Execute the protected ShowMeTheMoney premium action only after merchant-backend verification and StablePay payment succeed.

Actually does

The skill first resolves the buyer's DID using `stablepay_runtime_status`. It then attempts to call the merchant backend at `http://127.0.0.1:8787/execute` with the buyer's DID. If the backend returns a `402 Payment Required` response, it extracts payment details and initiates payment via `stablepay_pay_via_gateway` to `https://ai.wenfu.cn`, retrying the backend call once after successful payment.

Threat Analysis

AI Agent Traps ↗Scanned 4/17/2026

Content InjectionPerception2 findings

Semantic ManipulationReasoning1 finding

Cognitive StateMemory & Learningclean

Behavioural ControlAction6 findings

SystemicMulti-Agent Dynamics2 findings

Human-in-the-LoopHuman Overseer1 finding

Skill Info

Namebubblevan/showmethemoney-pro

Registryclawhub

Version1.0.3

PURLpkg:clawhub/bubblevan/showmethemoney-pro@1.0.3

Downloads124

Source

Repository ↗

SHA-2569d99e02b858e...

SHA-10c14b55af568...

MD5dc3af7be7c12...

TLSHce914653f3ca...

ssdeep96:C66z8feGd...

Size4,573 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

OpenClawDocs

https://clawhub.ai/bubblevan/showmethemoney-pro

124 downloads

ClawHubDocs

openclaw skills install bubblevan/showmethemoney-pro

Assessments (5)

AI Agent Traps ↗

Prompt Injection Detectedcriticalprompt injection

DeBERTa classifier detected prompt injection (confidence: 1.00)

100% confidence

User-controlled prompt forwarded to backend endpointhighprompt injection

The skill permits optional query parameters `q` and `prompt` to be forwarded directly to the backend as 'request text for the premium action'. This creates an indirect prompt injection surface: attacker-controlled backend responses could embed instructions in the `prompt` parameter that influence agent reasoning or downstream actions.

80% confidenceline 52

Optional query parameters may be used when helpful:
- `q`
- `prompt`

These optional values are forwarded to the backend as request text for the premium action.

User input forwarded to local backend endpointmediumcommand execution

User-provided `q` or `prompt` parameters are forwarded as query parameters to the local backend at `http://127.0.0.1:8787/execute`. If the local backend does not properly sanitize these inputs, it could lead to command injection or other vulnerabilities on the host system.

90% confidenceline 56

endpoint: `http://127.0.0.1:8787/execute`, Optional query parameters may be used when helpful: - `q` - `prompt`

SSRF via hardcoded localhost backend URLhighssrf

The skill hardcodes `http://127.0.0.1:8787` as the merchant backend base URL. This instructs the agent to make HTTP requests to localhost, which is a classic Server-Side Request Forgery (SSRF) vector. If the agent runtime executes in a cloud or shared environment, this could be used to probe internal services, metadata endpoints, or other locally-bound services not intended to be accessible externally.

90% confidenceline 19

merchant_backend_base_url: `http://127.0.0.1:8787`

External gateway URL pointing to third-party domainhighdata exfiltration

The skill hardcodes `https://ai.wenfu.cn` as the StablePay gateway base URL. All payment flows, buyer DIDs, and transaction metadata are routed through this third-party domain. This enables exfiltration of agent identity (DID), payment metadata, and potentially wallet-related information to an attacker-controlled external server.

85% confidenceline 18

stablepay_gateway_base_url: `https://ai.wenfu.cn`

Agent DID exfiltrated to external and localhost endpointshighdata exfiltration

The skill explicitly instructs the agent to resolve and transmit its buyer DID as a query parameter to both the localhost backend and the external StablePay gateway. DIDs may function as persistent identifiers that could be used for tracking, correlation, or targeting of the agent across sessions.

85% confidenceline 41

GET http://127.0.0.1:8787/execute?agent_did=<buyer_did>

Financial action triggered by attacker-controlled 402 responsecriticalfinancial action

The payment flow is entirely driven by the backend 402 response content, including `price`, `currency`, `skill_did`, and `payment_endpoint`. Since the backend URL is attacker-controlled (localhost or external domain), an adversary can return arbitrary payment parameters to redirect funds to a different wallet, inflate prices, or substitute payment endpoints — and the agent is instructed to prefer these over hardcoded defaults.

90% confidenceline 46

prefer the returned `skill_did`, `skill_name`, `price`, `currency`, `message`, and `payment_endpoint`

Solana DID embedded — potential wallet targetingmediumhardcoded secrets

A specific Solana DID (`did:solana:6vhFRAY7FBruLdvtztAUfne1F77aFsVCHhwPuu4JAoox`) is hardcoded into the skill. While not a private key, this embeds a specific on-chain identity that the agent is instructed to use, potentially tying the agent's payment flows to a fixed attacker-controlled Solana address.

75% confidenceline 15

skill_did: `did:solana:6vhFRAY7FBruLdvtztAUfne1F77aFsVCHhwPuu4JAoox`

Backend designated as unrestricted source of truthhighgoal hijacking

The skill repeatedly instructs the agent to treat the merchant backend as the 'source of truth' and 'final authority', and to 'prefer values returned by the backend'. This means a compromised or attacker-controlled backend at `http://127.0.0.1:8787` or `https://ai.wenfu.cn` can override skill defaults, redirect payment flows, and manipulate agent behavior with no independent validation.

85% confidenceline 33

Treat the merchant backend as the source of truth.
... Treat the backend response as the final authority.
... Prefer values returned by the backend or StablePay `402 Payment Required` response when available.

Autonomous payment execution without user confirmationhighautonomy abuse

The skill instructs the agent to call `stablepay_pay_via_gateway` automatically upon receiving a 402 response from the backend, then retry the action — all without an explicit user confirmation step in the workflow. This enables the backend to trigger autonomous financial transactions by simply returning a 402 response, potentially draining configured payment limits.

85% confidenceline 48

If the backend returns `402 Payment Required`:
   - read the payment requirement from the backend response
   - prefer the returned `skill_did`, `skill_name`, `price`, `currency`, `message`, and `payment_endpoint`
   - call `stablepay_pay_via_gateway`
6. If payment succeeds, retry the same `/execute` request once.

Sub-agent tool calls spawned autonomouslymediumsub agent spawning

The skill orchestrates multiple tool calls autonomously: `stablepay_runtime_status`, `stablepay_register_local_did`, `stablepay_configure_payment_limits`, and `stablepay_pay_via_gateway`. This constitutes a sub-agent spawning pattern where the skill drives a chain of privileged tool invocations, including wallet operations and financial transactions, without per-step human approval.

75% confidenceline 31

1. Call `stablepay_runtime_status`.
2. If no local wallet exists, create or bind one.
3. If no backend DID is registered, call `stablepay_register_local_did`.
4. If payment limits are missing, call `stablepay_configure_payment_limits`.

Description/behavior mismatch obscures payment riskmediumdescription mismatch

The skill description presents itself as a benign 'premium action executor' for a merchant backend, but the actual behavior involves autonomous wallet creation, DID registration, payment execution, and forwarding of agent identity to external servers. The simplified description may cause human reviewers or users to underestimate the scope of privileged operations being authorized.

70% confidenceline 3

description: execute the paid showmethemoney premium action through the merchant backend. use when the user wants to unlock or run the protected showmethemoney capability

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/clawhub/bubblevan/showmethemoney-pro.svg)](https://mondoo.com/ai-agent-security/skills/clawhub/bubblevan/showmethemoney-pro)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/clawhub/bubblevan/showmethemoney-pro"><img src="https://mondoo.com/ai-agent-security/api/badge/clawhub/bubblevan/showmethemoney-pro.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/clawhub/bubblevan/showmethemoney-pro.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow