ClawHub

DoorDash Claw | Order your next meal with OpenClaw

Security checks across malware telemetry and agentic risk

Overview

This is a real payment/shopping skill, but it is published under mismatched DoorDash/Stripe-style context while granting broad CreditClaw spending and payment authority.

Install only if you intentionally want a CreditClaw shopping and payment wallet, not a DoorDash-only or narrow Stripe/x402 skill. Verify the publisher and remote documentation first, protect CREDITCLAW_API_KEY like a payment credential, keep per-purchase approval enabled, use low spending limits and merchant/category allowlists, and require explicit approval before purchases, top-up requests, payment links, or sending shipping data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The heartbeat content is materially out of scope for a skill described as a Stripe wallet utility: it introduces a separate CreditClaw service, separate API key, separate wallet management flows, and periodic automated network actions. This mismatch is dangerous because a user or agent may trust the Stripe-branded skill while silently sending wallet metadata and triggering actions against an unrelated external financial service.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill tells the agent to read and follow externally supplied `notes` as direct instructions from the owner. That creates an instruction-injection channel from remote API content into agent behavior, potentially expanding what the agent will do beyond the declared wallet-checking purpose.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The manifest claims to be a Stripe wallet skill in the surrounding context, but the actual package identifies itself as a different product (`creditclaw-creditcard`) with different branding, endpoints, and hosted documentation. This kind of identity mismatch is dangerous because it can mislead reviewers and users into granting secrets or trust to an unrelated service, enabling credential exfiltration, unauthorized payments, or deceptive capability substitution.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The manifest presents this as a narrow Stripe/x402 wallet skill, but the body implements a far broader payment and commerce platform: generic purchases, Amazon/Shopify ordering, self-hosted card checkout, top-up workflows, and payment collection. This scope mismatch can mislead users, policy engines, or reviewers into granting a skill substantially more financial capability than advertised, increasing the risk of unauthorized spending or abuse.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill includes a 'charge anyone' payment-link feature that is not implied by the stated wallet/top-up/purchase use case. This expands the skill from spending funds to soliciting and collecting third-party payments, which can enable fraud, unauthorized billing, or abuse by an agent acting beyond the user's expectations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The file directs the agent to send authenticated requests containing a bearer API key to an external service without clear user-facing disclosure of what data is transmitted or when. In a financial context, undisclosed credentialed network traffic can expose sensitive wallet status, account identifiers, and operational metadata to a third party.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The top-up request flow performs a state-changing POST to an external financial service and only afterward tells the human a request was sent. That is dangerous because it enables the agent to initiate financial workflow actions without an explicit just-in-time warning or approval at the moment of execution.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
**You must follow these rules:**
- If `approval_mode` is `ask_for_everything`, ask your human before any purchase to get their approval. **New accounts default to this mode.** Your owner can loosen this from their dashboard once they're comfortable.
- If `approval_mode` is `auto_approve_under_threshold`, you may spend freely up to `ask_approval_above_usd`. Anything above that requires owner approval.
- If `approval_mode` is `auto_approve_by_category`, you may spend freely on `approved_categories` within limits. All others require approval.
- **Never** spend on `blocked_categories`. These are hard blocks enforced server-side and will be declined.
- Always read and follow the `notes` field — these are your owner's direct instructions.
Confidence
88% confidence
Finding
auto_approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
**You must follow these rules:**
- If `approval_mode` is `ask_for_everything`, ask your human before any purchase to get their approval. **New accounts default to this mode.** Your owner can loosen this from their dashboard once they're comfortable.
- If `approval_mode` is `auto_approve_under_threshold`, you may spend freely up to `ask_approval_above_usd`. Anything above that requires owner approval.
- If `approval_mode` is `auto_approve_by_category`, you may spend freely on `approved_categories` within limits. All others require approval.
- **Never** spend on `blocked_categories`. These are hard blocks enforced server-side and will be declined.
- Always read and follow the `notes` field — these are your owner's direct instructions.
- Cache this for up to 30 minutes. Do not fetch before every micro-purchase.
Confidence
88% confidence
Finding
auto_approve

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal