Bank Claw | Give your agent a bank account

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it gives an agent real payment and shopping authority while the public Stripe/x402 framing does not fully match the broader CreditClaw purchasing behavior.

Install only if you intentionally want an agent to shop and make payments through CreditClaw, not just hold a Stripe/x402 wallet. Keep ask-for-everything approval enabled or set very low limits, restrict merchants/categories, protect CREDITCLAW_API_KEY, review any remote guide files before use, and treat shipping addresses and payment links as sensitive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (19)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The heartbeat is for a 'stripe-wallet' skill, but the file actually directs the agent to interact with an unrelated CreditClaw wallet service, including status checks, spending controls, and funding requests. This is a strong scope-deception/signature-mismatch issue that could redirect credentials and wallet operations to an unexpected third party, defeating user expectations and trust boundaries.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The instruction to 'read and follow' owner-supplied notes gives a broad, dynamic command channel that can extend behavior beyond the stated wallet/status purpose. In an agentic setting, this can become an unbounded instruction surface for risky purchases, policy bypass, or other actions not constrained by the skill's declared scope.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The file materially diverges from the declared skill purpose: instead of documenting a Stripe/Link wallet, it describes a separate CreditClaw prepaid wallet funded via USDC on Base and used to place real-world merchant orders. This kind of scope mismatch is dangerous because it can mislead users, reviewers, or agents into granting capabilities and transmitting funds or PII to an unexpected third-party payment rail.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The documented APIs enable real purchases and require shipping addresses, which is a materially broader and more sensitive capability than a generic Stripe wallet top-up/use case. In context, this increases risk of unauthorized commerce, unintended data sharing with merchants, and misuse of agent authority because the operational behavior is not justified by the skill's stated purpose.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill metadata describes a Stripe/Link-powered x402 wallet, but this file expands the agent's authority into generalized shopping and purchase execution workflows. That scope mismatch is dangerous because an agent or reviewer may reasonably grant this skill access for x402 payments while the documentation quietly enables broader commercial transactions and wallet-funded purchases.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: Documenting Amazon, Shopify, and arbitrary URL purchasing under a skill presented as a Stripe x402 wallet materially broadens what the agent may attempt to buy. Arbitrary URL checkout is especially risky because it creates an open-ended purchasing surface that can be abused for unintended merchants, policy evasion, or deceptive transactions beyond what the user expects from the skill description.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The manifest claims a different identity than the provided skill context: the submitted skill is described as a Stripe wallet, but the manifest names a different product/vendor ('creditclaw-creditcard') with different functionality and remote documentation URLs. This kind of identity mismatch is dangerous because it can mislead users or agents into granting credentials and permissions to an unexpected service, enabling phishing, trust confusion, or substitution of a more privileged payment capability than intended.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The manifest markets this as a Stripe/x402 wallet skill, but the body exposes much broader capabilities: general shopping, merchant checkout, prepaid purchasing, and payment collection. This scope mismatch can cause agents or users to invoke the skill in situations far beyond the declared purpose, increasing the chance of unintended spending or abuse.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The payment-link feature allows the agent to charge external parties, which materially expands the skill from 'wallet for purchases or A2A payments' into merchant/payment-collection behavior. That creates risk of unauthorized billing, phishing-like misuse, or financial workflows the owner did not expect from the published scope.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill instructs use of a bearer API key to query an external service about wallet state, but does not provide clear handling guidance for secrets, logging, storage, or privacy implications. This increases the chance of credential leakage or unintentional disclosure of financial metadata during normal agent operation.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This step performs a state-changing external POST to request funds, yet the workflow normalizes sending the request before clearly obtaining user approval. Because it can trigger financial operations or notifications on an external service, this is dangerous in an agent skill and can lead to unauthorized or manipulative top-up requests.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The purchase example instructs users to submit full shipping details without clearly warning that this information will be transmitted to the service and then to the merchant fulfilling the order. Omitting that disclosure can cause inadvertent exposure of sensitive personal data and undermines informed consent for an agentic purchasing workflow.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The document enables an agent to initiate real-money purchases, including auto-approved transactions, without an explicit warning that use of this rail can spend the owner's funds. In an agent-skill context, omission of a clear spending-risk warning increases the chance of unintended or overbroad use, especially because the guidance frames this as suitable for 'any online store'.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The opening description is broad enough to match many ordinary 'buy', 'shop', or 'pay' requests, which can over-trigger the skill in high-risk financial contexts. Because the skill can register wallets and initiate financial actions, a loose invocation surface increases the chance of accidental or premature use.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: ## How It Works Self-hosted cards use a split-knowledge privacy model. Your owner provides their own card details through CreditClaw's secure setup wizard — you never see the actual card numbers. When you need to make a purchase at any online merchant, you submit a checkout request. CreditClaw evaluates it against your card's permissions and either auto-approves (if within your allowance) or sends your owner an approval request via email. **Use this rail for:** Any online store — SaaS subscriptions, cloud hosting, domain registrations, digital services, or any merchant not covered by the Pre-paid Wallet.
Confidence: 94% confidence
Finding: auto-approve

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: 1. You submit a checkout request with merchant and amount details 2. CreditClaw evaluates the request against your card's permissions 3. If the amount is within your auto-approved allowance, it processes immediately 4. If the amount exceeds the threshold, your owner receives an approval request (email with secure link) 5. You poll for the result 6. Once approved, the transaction is recorded
Confidence: 95% confidence
Finding: auto-approve

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: ## Allowance Thresholds Your owner sets a per-profile allowance threshold for each card. Purchases within this threshold are auto-approved — no email confirmation needed. Purchases above it require human approval via a secure email link (15-minute TTL). Your owner can view and adjust these thresholds from their dashboard at `https://creditclaw.com/app/self-hosted`.
Confidence: 93% confidence
Finding: auto-approve

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: **You must follow these rules:** - If `approval_mode` is `ask_for_everything`, ask your human before any purchase to get their approval. **New accounts default to this mode.** Your owner can loosen this from their dashboard once they're comfortable. - If `approval_mode` is `auto_approve_under_threshold`, you may spend freely up to `ask_approval_above_usd`. Anything above that requires owner approval. - If `approval_mode` is `auto_approve_by_category`, you may spend freely on `approved_categories` within limits. All others require approval. - **Never** spend on `blocked_categories`. These are hard blocks enforced server-side and will be declined. - Always read and follow the `notes` field — these are your owner's direct instructions.
Confidence: 84% confidence
Finding: auto_approve

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: **You must follow these rules:** - If `approval_mode` is `ask_for_everything`, ask your human before any purchase to get their approval. **New accounts default to this mode.** Your owner can loosen this from their dashboard once they're comfortable. - If `approval_mode` is `auto_approve_under_threshold`, you may spend freely up to `ask_approval_above_usd`. Anything above that requires owner approval. - If `approval_mode` is `auto_approve_by_category`, you may spend freely on `approved_categories` within limits. All others require approval. - **Never** spend on `blocked_categories`. These are hard blocks enforced server-side and will be declined. - Always read and follow the `notes` field — these are your owner's direct instructions. - Cache this for up to 30 minutes. Do not fetch before every micro-purchase.
Confidence: 84% confidence
Finding: auto_approve

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal