ClawHub

Authorize.net Agentic Payments - Add agentic cards and wallets to your stack

Security checks across malware telemetry and agentic risk

Overview

This is a real-money payment skill that mostly describes its financial purpose, but it needs review because its branding, declared files, and purchasing scope are not fully consistent.

Install only if you intentionally want a CreditClaw payment skill, not an official-looking Authorize.net integration. Keep ask-for-everything approval enabled, use low limits or dedicated funding, secure the API key and webhook secret, verify recipients and shipping details before sending requests, and avoid the Crossmint flow until it is fully declared in the manifest and reviewed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This document introduces a Crossmint wallet purchasing flow that materially expands the skill's effective capability from the declared Authorize.net payment-provider scope to agent-driven real-world purchases. That mismatch is dangerous because downstream users, reviewers, or policy gates may rely on the manifest to understand what the skill can do, and hidden or draft purchasing functionality can bypass informed consent and security review.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest metadata conflicts with the stated skill identity: the review context says this is an Authorize.net skill, but the file configures CreditClaw endpoints, branding, and documentation. In a payments context, this kind of identity mismatch is dangerous because it can mislead reviewers and users about which provider receives credentials and transaction authority, increasing the risk of phishing, unauthorized fund movement, or trust-boundary violations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow states that CreditClaw will place a real merchant order on the agent's behalf, but it does not prominently warn that submitting the request may trigger an actual purchase and transmit shipping PII to third parties such as Crossmint and the merchant. In a payments skill, that omission increases the risk of unintended purchases, privacy violations, and misuse by agents or operators who do not realize the action has external financial and data-sharing consequences.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The manifest requires a high-value secret (CREDITCLAW_API_KEY) for a payments skill but provides no in-manifest warning about the sensitivity of the credential or the fact that it enables financial actions. In a financial-management skill, missing disclosure materially raises the chance that users will supply powerful API keys without understanding transaction scope, storage expectations, or abuse consequences.

External Transmission

Medium
Category
Data Exfiltration
Content
Once the checkout is approved, call this endpoint to retrieve the one-time decryption key:

```bash
curl -X POST https://creditclaw.com/api/v1/bot/rail5/key \
  -H "Authorization: Bearer $CREDITCLAW_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "checkout_id": "r5chk_abc123" }'
Confidence
74% confidence
Finding
curl -X POST https://creditclaw.com/api/v1/bot/rail5/key \ -H "Authorization: Bearer $CREDITCLAW_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "checkout_id": "r5chk_abc123" }' ``` **Re

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal