Skillv1.0.0

ClawScan security

Make Bets | With your creditCard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 12:49 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches a wallet/checkout integration, but there are noteworthy mismatches and risky instructions (saving and executing remote files, executing a delivered decrypt script, and a registry/name mismatch) that deserve caution before installing.
Guidance: This skill appears to implement a legitimate agent-driven payment/checkout integration, but exercise caution before installing: - Name mismatch: The published skill name ('Make Bets | With your creditCard') does not match the internal skill (creditclaw-amazon). Ask the publisher why the registry name implies gambling while the skill blocks gambling in its settings. - Execution of remote content: The workflow delivers an encrypted card file that contains a decrypt script which the agent is instructed to run (node decrypt.js). Running code contained in files fetched at runtime is dangerous unless your agent runtime enforces strict sandboxing and prevents exfiltration. Confirm your agent environment can safely spawn isolated sub-agents and that those sub-agents are sandboxed. - Files written to disk: The instructions tell the agent to save files under ~/.creditclaw and .creditclaw/cards. If you install, ensure those directories and files are stored where you expect, and that file permissions prevent unintended access. - Fallback behavior widens risk: The doc says if the environment can’t spawn sub-agents, the main agent may run the decrypt steps; this would expose sensitive card data to the main agent. Prefer policies that require sub-agent isolation and explicit owner approval. - Limit the API key: Only provide CREDITCLAW_API_KEY if you trust creditclaw.com and you can monitor its use. The docs correctly warn never to send the API key to other domains. What would increase confidence: a registry entry whose name/description match the skill's internal metadata; explicit declarations of required binaries (node, curl) and config paths; and explicit, verifiable guarantees about sub-agent sandboxing (e.g., a signed sandbox runtime or documented isolation constraints). If you cannot verify sandboxing and the publisher, treat this as risky and avoid giving it your API key.

Review Dimensions

Purpose & Capability: noteThe declared purpose (agent shopping with owner-approved, guardrailed wallets) aligns with the single required credential (CREDITCLAW_API_KEY) and the API endpoints (creditclaw.com/api/v1). However the registry name provided by the submitter ('Make Bets | With your creditCard') does not match the internal skill name (creditclaw-amazon) and the skill content explicitly disallows gambling in its spending policy — this naming mismatch is suspicious and unexplained. The skill's docs also assume the ability to write files under the user's home (e.g., ~/.creditclaw/skills and .creditclaw/cards) and to run node decrypt.js, but the manifest declares no required binaries/config-paths; that's an inconsistency.
Instruction Scope: concernInstructions tell the agent to download skill files and to save owner-provided encrypted card files to disk and then execute a decrypt script (node decrypt.js) delivered inside that file. They explicitly recommend spawning ephemeral sub-agents to run decrypt and checkout steps, but also include a fallback that allows the main agent to run the decrypt step if sub-agent capabilities aren't available. That means the skill directs the agent to fetch external content, persist files to the home directory, and execute code delivered at runtime — actions that significantly expand the agent's scope and create opportunities for code execution or data exposure if the runtime is not properly sandboxed.
Install Mechanism: noteThere is no formal install spec (lowest install risk). However the runtime instructions encourage using curl to fetch and save remote files from creditclaw.com into local ~/.creditclaw directories. The URLs are all on the same domain as the API, which is expected, but writing and executing content fetched at runtime (especially the decrypt script embedded in owner-delivered files) increases the attack surface even without a packaged installer.
Credentials: noteOnly one required environment variable is declared (CREDITCLAW_API_KEY), which is appropriate for an API-based payment integration. That credential is necessary and proportional. Minor inconsistency: the manifest lists no required config paths, yet the instructions tell the agent to save files to ~/.creditclaw and .creditclaw/cards — so the skill expects filesystem access that isn't reflected in the metadata. Also the registry name hinting at gambling is inconsistent with the spending.md which explicitly blocks gambling.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated platform privileges. It does instruct saving files to user home and the workflow relies on ephemeral sub-agents, but it does not claim the ability to change other skills or system settings. The risk here stems from writing/executing runtime-delivered content rather than from elevated declared privileges.