ClawHub

Shop from Instagram - With your creditcard

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real payment/shopping skill, but it needs Review because it gives agents broad real-money purchasing authority with inconsistent Stripe-wallet branding and some under-scoped automated workflows.

Install only if you intend to let an agent make or request real financial transactions through CreditClaw. Verify the publisher and skill identity, keep CREDITCLAW_API_KEY restricted to creditclaw.com, start with ask-for-everything approval, set low spending limits and blocked categories, and understand that purchase, shipping, webhook, and payment-signing data may be sent to CreditClaw and downstream merchants or payment services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest metadata conflicts with the provided skill identity and purpose: the user-facing context says 'stripe-wallet' while the manifest names 'creditclaw-stripe' and describes broader shopping and approval workflows. This kind of branding and scope mismatch can mislead users about what service they are authorizing and what capabilities the skill may exercise, increasing phishing, trust-confusion, and over-permission risk.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest frames the skill as a Stripe/x402 wallet, but the body exposes substantially broader purchasing functions including Amazon, Shopify, SaaS, and card-based checkout. This scope mismatch can mislead users, reviewers, or policy engines into granting a narrower payment capability than the skill actually enables, increasing the risk of unintended spending authority.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill includes a generic payment-link creation feature that allows charging third parties, which is broader than the stated purpose of topping up and using a wallet for purchases or A2A payments. This expands the operational and abuse surface by enabling collection workflows that may be unexpected to deployers and not covered by the advertised scope.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The API reference lists an additional 'Sub-Agent Card' rail that is not described in the manifest or earlier capability summary. Undeclared payment rails create hidden capability expansion, making it harder for users and governance systems to understand the real authority granted by the skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This description promotes agent-initiated online purchasing using funded wallets and payment methods, but it does not clearly warn users that the skill can spend real money or affect linked payment accounts. In a payments context, that omission is security-relevant because users may enable the skill without understanding the financial consequences, approval requirements, or risk of unintended transactions.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The heartbeat is framed as a periodic routine ('suggested: every 30 minutes') but does not clearly define the authorized trigger, execution context, or guard conditions. In an agent setting, this ambiguity can cause repeated autonomous execution of wallet-related checks and follow-on actions, increasing the chance of unintended financial workflow interaction.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The routine instructs the agent to POST a top-up request automatically when balance is low, which is a state-changing action affecting the user's wallet workflow and potentially generating notifications or funding requests without contemporaneous consent. Because it is embedded in a recurring heartbeat, this can lead to repeated or surprise financial actions triggered solely by low balance conditions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation instructs agents to send a full shipping address, including recipient name and street address, to an external purchase API without any explicit warning about sensitive-data handling, retention, or third-party sharing. In an agent setting, this omission can cause unnecessary transmission of personally identifiable information to external services without informed consent or minimization safeguards.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The webhook section states that order events will be sent to a user-supplied callback URL, but it does not warn that purchase metadata may be disclosed to an external endpoint controlled by the integrator. Without guidance on trust boundaries, signing, or validation, users may expose order-status data to unintended recipients or insecure receivers.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This guide instructs an agent how to initiate real-card purchases and approval flows but never explicitly warns that these actions can spend the owner's actual funds. In an agent skill context, omission of a prominent real-money warning materially increases the chance of unintended financial transactions because the surrounding language normalizes routine purchasing behavior.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The manifest requires a long-lived API key for an external payment service but provides no visible disclosure in this file about what external access occurs, how the credential is handled, or what operations it authorizes. In a payments-related skill, unclear credential scope and external transmission increase the chance of users supplying sensitive secrets without understanding data flow or financial implications.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This guide instructs an agent to authorize payment signing with a bearer API key and transmit payment parameters, but it does not explicitly warn that these actions can spend real funds or that the API key is a sensitive secret. In an agent-skill context, that omission increases the chance of accidental unauthorized spending or credential exposure through logging, prompt leakage, or unsafe reuse.

External Transmission

Medium
Category
Data Exfiltration
Content
### Purchase Request

```bash
curl -X POST https://creditclaw.com/api/v1/card-wallet/bot/purchase \
  -H "Authorization: Bearer $CREDITCLAW_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
93% confidence
Finding
curl -X POST https://creditclaw.com/api/v1/card-wallet/bot/purchase \ -H "Authorization: Bearer $CREDITCLAW_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
### Request x402 Payment Signature

```bash
curl -X POST https://creditclaw.com/api/v1/stripe-wallet/bot/sign \
  -H "Authorization: Bearer $CREDITCLAW_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
83% confidence
Finding
curl -X POST https://creditclaw.com/api/v1/stripe-wallet/bot/sign \ -H "Authorization: Bearer $CREDITCLAW_API_KEY" \ -H "Content-Type: application/json" \ -d

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
**You must follow these rules:**
- If `approval_mode` is `ask_for_everything`, ask your human before any purchase to get their approval. **New accounts default to this mode.** Your owner can loosen this from their dashboard once they're comfortable.
- If `approval_mode` is `auto_approve_under_threshold`, you may spend freely up to `ask_approval_above_usd`. Anything above that requires owner approval.
- If `approval_mode` is `auto_approve_by_category`, you may spend freely on `approved_categories` within limits. All others require approval.
- **Never** spend on `blocked_categories`. These are hard blocks enforced server-side and will be declined.
- Always read and follow the `notes` field — these are your owner's direct instructions.
Confidence
84% confidence
Finding
auto_approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
**You must follow these rules:**
- If `approval_mode` is `ask_for_everything`, ask your human before any purchase to get their approval. **New accounts default to this mode.** Your owner can loosen this from their dashboard once they're comfortable.
- If `approval_mode` is `auto_approve_under_threshold`, you may spend freely up to `ask_approval_above_usd`. Anything above that requires owner approval.
- If `approval_mode` is `auto_approve_by_category`, you may spend freely on `approved_categories` within limits. All others require approval.
- **Never** spend on `blocked_categories`. These are hard blocks enforced server-side and will be declined.
- Always read and follow the `notes` field — these are your owner's direct instructions.
- Cache this for up to 30 minutes. Do not fetch before every micro-purchase.
Confidence
84% confidence
Finding
auto_approve

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal