DoorDash Claw | Are you hungry?

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill can let an agent spend real money through CreditClaw, but its marketplace and skill identities are inconsistent enough that users should review it before installing.

Install only if you intend to give an agent a CreditClaw payment credential for broad online purchasing, not just DoorDash or a narrow Stripe wallet. Verify the publisher and creditclaw.com domain, start with approval required for every purchase, set low limits and merchant/category allowlists, protect CREDITCLAW_API_KEY like a payment credential, and avoid untrusted callback URLs or unnecessary shipping data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This file is materially inconsistent with the declared Stripe wallet skill and instead instructs an agent to use a third-party CreditClaw prepaid wallet to place Amazon orders. That mismatch is dangerous because it can smuggle unrelated purchasing capabilities, alternate trust boundaries, and new data flows into a skill under misleading metadata, increasing the risk of unauthorized purchases and exfiltration of sensitive shipping and payment-related data.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The content grants the agent a much broader capability than a Stripe wallet top-up/payment skill: selecting Amazon products, initiating purchases, sending shipping addresses, and tracking deliveries. In context, this is a high-risk scope expansion because it enables real-world commerce actions and collection/transmission of personal data without being justified by the skill's stated function.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The file is for a skill advertised as a Stripe wallet helper, but the heartbeat routine is dominated by calls to a different service, CreditClaw, including wallet status, top-up, and spending-control APIs. This mismatch indicates hidden functionality and could cause an agent or operator to send secrets and operational data to an unrelated third party under the guise of using Stripe-powered wallets.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The routine instructs the agent to fetch and obey remote spending permissions and owner notes from CreditClaw, extending the skill from simple wallet balance handling into remote behavioral control. In the context of a narrowly described Stripe wallet skill, this creates an undeclared command-and-control channel that can influence purchase behavior and override expected agent boundaries.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The manifest claims a different identity than the provided skill context: the submitted skill is described as a Stripe wallet, but the file declares a Creditclaw credit-card shopping/payment skill with different name, description, API base, author, and linked documentation. This kind of identity mismatch is dangerous because it can mislead users and agents into granting sensitive payment credentials to an unexpected service, enabling phishing-by-manifest, deceptive capability substitution, or supply-chain impersonation.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The description explicitly enables an AI agent to make online purchases with funded wallets and payment methods, but it does not warn users that the skill can spend real money or affect linked funds. In an agent setting, omission of a clear financial-risk warning can mislead operators into authorizing a capability with direct monetary consequences, increasing the chance of unintended purchases or abuse.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The documentation instructs agents to transmit sensitive shipping address data and references webhook/callback behavior without any explicit privacy notice, data handling expectations, or minimization guidance. In an agent skill context, this can normalize sending personally identifiable information to a third-party service and callback endpoint without warning users about sharing, retention, or trust boundaries.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This documentation explicitly instructs an agent to perform real-world purchases at online merchants, but it does not include an explicit warning to require user confirmation, verify business justification, or highlight financial consequences before spending. In an agent-skill context, omission of such guardrails materially increases the chance of unauthorized or unintended charges, especially because the flow supports broad merchant categories and may auto-approve transactions within allowance thresholds.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The documentation includes authenticated examples for payment signing and wallet balance/transaction queries using a bearer API key, but it does not explicitly warn against exposing the key or leaking sensitive financial metadata in logs, screenshots, prompts, or client-side contexts. In an agent-skill setting, this omission increases the chance that integrators pass secrets and payment data through unsafe channels, enabling unauthorized signing attempts or disclosure of wallet activity.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal