omniclaw Security Report — Low Risk | ClawSafe

20 /100

omniclaw

AI agent payment skill for x402 protocol payments, USDC transfers, and Circle Gateway nanopayments

OmniClaw is a legitimate payment processing skill for AI agents that handles x402 protocol payments and USDC transfers. The documentation is thorough, capabilities are clearly declared, and no hidden malicious behavior was identified.

Skill Nameomniclaw

Duration34.0s

Enginepi

✓

Safe to install

This skill can be used safely. Ensure the OMNICLAW_TOKEN is properly secured and only grant this skill to agents that need payment capabilities.

Findings 3 items

Severity	Finding	Location
Medium	Command execution capability in serve feature The omniclaw-cli serve --exec command allows arbitrary command execution, which could be abused if the skill is granted broadly. However, this is documented and intentional for the paid-service hosting feature. `--exec "python3 ./my_service.py"` → Limit grant of this skill to agents that specifically need to host paid services. Consider separating the payer and host capabilities.	`SKILL.md:239`
Low	Token handling requires strict security The OMNICLAW_TOKEN is a scoped agent token that must never be printed, logged, or transmitted. While the docs clearly warn about this, improper handling could lead to token exposure. `Never print, log, or transmit this value` → Ensure the runtime environment handles OMNICLAW_TOKEN as a sensitive secret, similar to API keys.	`SKILL.md:10`
Low	Server URL is user-configurable The server-url is provided by the owner at session start, meaning network traffic could go to any HTTPS endpoint. No hardcoded trusted endpoints. `--server-url <OMNICLAW_SERVER_URL>` → Verify the server URL before granting the skill to ensure it points to a legitimate OmniClaw server.	`SKILL.md:31`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	SKILL.md:185 '--output ./result.json' saves payment responses to files
Network	`READ`	`WRITE`	✓ Aligned	SKILL.md:44 'omniclaw-cli pay' makes HTTP requests to pay for services; SKILL.md…
Shell	`NONE`	`WRITE`	✓ Aligned	SKILL.md:239 '--exec "python3 ./my_service.py"' allows arbitrary command executi…
Environment	`READ`	`READ`	✓ Aligned	SKILL.md:10 'env: OMNICLAW_TOKEN' and SKILL.md:249 'OMNICLAW_PAYER_ADDRESS, OMNI…
Skill Invoke	`NONE`	`NONE`	—	No nested skill invocations declared or detected
Clipboard	`NONE`	`NONE`	—	No clipboard access documented
Browser	`NONE`	`NONE`	—	No browser automation documented
Database	`NONE`	`NONE`	—	No direct database access documented

4 findings

🔗

Medium External URL 外部 URL

https://api.omniclaw.com

SKILL.md:46

🔗

Medium External URL 外部 URL

https://service.example.com/data/query

SKILL.md:117

🔗

Medium External URL 外部 URL

https://service.example.com/inference/run

SKILL.md:122

💰

Medium Wallet Address 加密货币钱包地址

0x742d35Cc6634C0532925a3b844Bc9e7595f5e4a0

SKILL.md:160

File Tree

1 files · 11.4 KB · 422 lines

Markdown 1f · 422L

└─ 📝 SKILL.md Markdown 422L · 11.4 KB

Security Positives

✓ Documentation is comprehensive and clearly defines boundaries of what the skill can and cannot do

✓ Clear error handling guidance with explicit 'stop and notify owner' instructions for failures

✓ Token security warnings are prominent and explicit (Rule 5)

✓ Idempotency key requirement prevents accidental double-charging

✓ Dry-run capability allows testing payments before execution

✓ Guards and whitelists are mentioned as owner-only controls

✓ No base64 encoding, obfuscation, or hidden instructions detected

✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files

✓ No credential harvesting behavior observed

✓ No curl|bash or wget|sh remote script execution patterns

Scan Report

Findings 3 items

File Tree

Security Positives