Make Bets | With your creditCard

Security checks across malware telemetry and agentic risk

Overview

This real-money payment skill is marketed as Amazon shopping but also enables broader spending, invoicing, payment collection, and public storefront actions.

Install only if you intend to give the agent broad CreditClaw wallet and commerce authority, not just Amazon shopping. Keep approval required for every purchase, verify merchant/domain limits and blocked categories, do not use the main-agent card-decryption fallback with real cards, review any delivered decrypt script before execution, store API keys and card files in a secure secret store, and avoid invoices or public shops unless you explicitly want those capabilities.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (26)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The file advertises a general payment-processing and merchant platform even though the enclosing skill is presented as an Amazon shopping capability. That scope mismatch can grant an agent unrelated money movement and seller operations, increasing the chance of unauthorized business actions and bypassing user expectations about what the skill is allowed to do.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Invoice creation and email-sending let the agent initiate outbound billing communications and payment collection unrelated to Amazon shopping. If exposed through this skill, an agent could generate invoices to arbitrary recipients, causing fraud, spam, reputational harm, and unauthorized financial requests under the user's account.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Public storefront publishing and seller-profile management are seller-side commerce capabilities, not Amazon purchasing features. In this context, they expand the agent from a shopper into a merchant operator that can expose products publicly, publish a shop, and distribute payment links, creating unauthorized public-facing sales surfaces.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The documented capability materially exceeds the stated Amazon-only scope by supporting Shopify and arbitrary URL-based stores. That scope mismatch can mislead users, reviewers, and policy controls, allowing the agent to initiate purchases from broader merchants than expected and weakening trust and approval boundaries.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The file describes a generalized wallet purchase flow through Crossmint and merchants, which broadens the operational scope beyond an Amazon shopping skill. In a purchasing agent, undocumented expansion of real-world transaction capability increases the chance of misuse, policy bypass, and user misunderstanding about what the agent can buy.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The file is presented as part of an Amazon shopping skill, but its instructions authorize generic payment-card use for arbitrary merchants. That scope expansion increases abuse potential because an agent granted this skill could be induced to perform non-Amazon purchases using real payment credentials.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The checkout API explicitly accepts arbitrary merchant names and URLs, enabling the skill to broker purchases anywhere rather than only on Amazon. In the context of an Amazon shopping skill, this is a capability overreach that could be abused for unauthorized spending or broader card use across unrelated sites.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill instructs the agent to execute a local Node.js decrypt script on sensitive card material, which materially increases risk by combining code execution with payment credential handling. Even if described as deterministic, running bundled local code from delivered content creates an attack surface for credential exposure, tampering, or execution of unexpected behavior.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The sub-agent spawning pattern is a broad execution primitive that can be repurposed beyond Amazon shopping, including to isolate and process sensitive payment information. While isolation is a legitimate design goal, exposing generic delegated execution in a shopping skill broadens operational capability and can make misuse harder to monitor.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: This companion document expands the skill from Amazon shopping into general cross-rail wallet management, including funding and broader payment operations. That scope creep increases the chance an agent will use financial capabilities beyond the user's expected purpose, creating confused-deputy and unauthorized-spending risk.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The transaction model explicitly includes 'payment_received' for third-party payments, which is unrelated to an Amazon shopping skill and broadens the skill into general money movement. In an agent setting, undocumented or unjustified payment-receipt capability can be abused for off-purpose financial activity, laundering-like behavior, or deception about the skill's intended scope.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The skill is presented as an Amazon shopping integration, but its documented scope expands into a broad financial platform with multi-rail payments, wallet management, selling, and invoicing. This scope mismatch is dangerous because users or orchestrators may grant trust and permissions appropriate for limited shopping, while the skill actually enables much broader money movement and commerce operations.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: Seller-commerce features such as payment links, invoices, checkout pages, and shop management are materially different from 'shopping on Amazon' and expand the blast radius from purchasing into receiving funds and operating storefronts. This can mislead policy systems and end users into enabling an agent skill with financial functions they did not intend to authorize.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: Including unrelated payment rails such as x402/USDC signing and Crossmint-managed purchases broadens the skill beyond Amazon checkout into general-purpose payment execution. Even if some rails are gated or beta-only, their presence increases complexity, trust assumptions, and the chance an agent uses a non-obvious payment path.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: This companion file materially expands the skill from Amazon shopping into a general-purpose crypto payment rail using a USDC wallet and x402 signing. That scope expansion increases the attack surface and enables spending behavior unrelated to the parent skill’s stated purpose, which weakens least-privilege expectations for users and agents.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The documented signing flow allows payments to arbitrary external `resource_url` values and merchant wallet addresses, not just Amazon-related services. Even with server-side guardrails, this creates a broad exfiltration/spending primitive that an agent could use to pay unrelated third parties, greatly exceeding the expected scope of an Amazon shopping skill.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The wallet detail and transaction introspection endpoints expose balance, address, spending limits, domain rules, and approval state that are broader than what is necessary for Amazon purchasing. This sensitive financial metadata can help an agent or attacker profile available funds and guardrails, making targeted abuse or privacy leakage easier.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation includes collection and transmission of buyer personal data such as names and email addresses without any privacy notice, purpose limitation, retention guidance, or consent requirements. In a payment workflow, this can lead to silent handling of PII by agents and downstream services, increasing privacy, compliance, and misuse risks.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The webhook section encourages automatic fulfillment after payment without warning that this may instantly grant access, issue credentials, or deliver digital goods. In an agent setting, that can turn a payment event into unattended provisioning, making mistakes, spoofed integrations, or logic flaws directly impact entitlements and digital asset delivery.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The guide instructs transmission of shipping address details and purchase information for real-world orders, but does not prominently warn about privacy exposure, actual financial charges, or merchant fulfillment consequences. In this context, the omission is dangerous because the skill enables real purchases and handling of sensitive personal data, so users may underestimate the impact of invoking it.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The instructions tell the agent to save an encrypted card file to disk without prominent handling requirements for sensitive payment material. Even encrypted card artifacts are high-risk assets because compromise of the file plus later key retrieval could expose full card data.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The alternative flow explicitly allows the main agent to decrypt and view full card details, directly undermining the stated isolation model. In an LLM-agent context, exposing raw PAN/CVV data to the main context creates substantial risk of logging, prompt leakage, unintended reuse, or propagation to other tools and sessions.

External Transmission

Medium

Category: Data Exfiltration
Content: The sub-agent calls this endpoint to retrieve the one-time decryption key: ```bash curl -X POST https://creditclaw.com/api/v1/bot/rail5/key \ -H "Authorization: Bearer $CREDITCLAW_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "checkout_id": "r5chk_abc123" }'
Confidence: 90% confidence
Finding: curl -X POST https://creditclaw.com/api/v1/bot/rail5/key \ -H "Authorization: Bearer $CREDITCLAW_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "checkout_id": "r5chk_abc123" }' ``` **Re

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: **You must follow these rules:** - If `approval_mode` is `ask_for_everything`, ask your human before any purchase to get their approval. **New accounts default to this mode.** Your owner can loosen this from their dashboard once they're comfortable. - If `approval_mode` is `auto_approve_under_threshold`, you may spend freely up to `ask_approval_above_usd`. Anything above that requires owner approval. - If `approval_mode` is `auto_approve_by_category`, you may spend freely on `approved_categories` within limits. All others require approval. - **Never** spend on `blocked_categories`. These are hard blocks enforced server-side and will be declined. - Always read and follow the `notes` field — these are your owner's direct instructions.
Confidence: 90% confidence
Finding: auto_approve

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: **You must follow these rules:** - If `approval_mode` is `ask_for_everything`, ask your human before any purchase to get their approval. **New accounts default to this mode.** Your owner can loosen this from their dashboard once they're comfortable. - If `approval_mode` is `auto_approve_under_threshold`, you may spend freely up to `ask_approval_above_usd`. Anything above that requires owner approval. - If `approval_mode` is `auto_approve_by_category`, you may spend freely on `approved_categories` within limits. All others require approval. - **Never** spend on `blocked_categories`. These are hard blocks enforced server-side and will be declined. - Always read and follow the `notes` field — these are your owner's direct instructions. - Cache this for up to 30 minutes. Do not fetch before every micro-purchase.
Confidence: 90% confidence
Finding: auto_approve

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal