Purchase Anonymous Data eSIM (Crypton.sh)

ReviewAudited by ClawScan on May 1, 2026.

Overview

The skill is a coherent eSIM purchase helper, but users should be aware it can create real checkout orders and display sensitive eSIM activation details.

This appears purpose-aligned for buying and managing eSIMs. Before installing, make sure you trust the Crypton service, only issue buy commands intentionally, verify payment details before sending money, and keep order IDs and activation codes private.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

If the user or agent issues a buy command, the skill may create a payment session or crypto payment request for an eSIM plan.

Why it was flagged

The purchase command creates a checkout order through the external API. This is disclosed and purpose-aligned, but it is still a real commerce workflow.

Skill content

response = self.session.post(
            f"{self.api_base_url}/checkout",
            json=payload
        )

Recommendation

Only use buy commands after confirming the package ID, price, and payment method; consider adding an explicit confirmation step before checkout creation.

Medium

#ASI03: Identity and Privilege Abuse

What this means

Someone with access to the order UUID or chat transcript could potentially view order details or misuse the eSIM activation information.

Why it was flagged

Order status and activation details are accessed by order UUID without account authentication, so the order UUID and activation code should be treated as sensitive.

Skill content

**Authentication:** None required ... GET | `/order/{uuid}` | Check order status ... **Activation Code:**

Recommendation

Keep order UUIDs, ICCIDs, payment links, and activation codes private, and avoid sharing transcripts that contain them.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Different environments may install different requests versions, which can affect reproducibility.

Why it was flagged

The dependency is a broad lower-bound requirement rather than a pinned version. This is common for a simple API client, but it leaves dependency resolution to the install environment.

Skill content

requests>=2.28.0

Recommendation

Install from a trusted environment and consider pinning dependencies if reproducible or audited installs are important.