ClawHub

Find Cheaper Insurance |

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real CreditClaw payment skill, but its insurance-like listing and broad card, shopping, invoice, and storefront authority need review before installation.

Install only if you intend to give an agent real payment-wallet authority, not just insurance-search capability. Use the strictest human-approval mode, keep the API key and webhook secret in a secret manager, avoid main-agent card decryption, protect local card files from logs/backups/shared workspaces, and require explicit approval before purchases, invoice emails, payment links, or publishing a shop.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to execute a local Node.js decrypt script embedded in or delivered with the card file, which is effectively executing code from an externally supplied sensitive artifact. Even if described as deterministic, this creates a code-execution trust boundary violation: a tampered file or script could exfiltrate decrypted card data, API keys, or other local secrets during checkout.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The document makes a strong security claim that the main agent never sees decrypted card data, then explicitly permits a fallback where the main agent performs decryption and checkout directly. This contradiction weakens operator trust and can expose full payment card data to a broader context window, logs, tools, memory, or downstream prompts, increasing the chance of leakage or misuse.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill is presented as a shopping/payment capability, but the documented functionality also enables the agent to create payment links, invoices, checkout pages, and sell to third parties. This scope expansion materially changes the risk profile because an installer expecting only spending may unknowingly grant the agent the ability to monetize, collect funds, or interact with external customers.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The API surface exposes seller operations that are not reflected in the top-level manifest description, creating a mismatch between declared and actual capabilities. In an agent ecosystem, this can lead to over-privileged deployment or unsafe trust decisions because reviewers may approve the skill for purchasing without realizing it can also create external payment flows.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly supports collecting buyer name and email and sending invoice emails, but it provides no privacy, consent, retention, or data-handling guidance. In an agent context, this can lead to unnecessary collection or transmission of personal data and noncompliant processing if downstream agents automatically use these fields.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill directs the agent to save an encrypted card file locally but provides no guidance on restrictive file permissions, secure storage location, encryption at rest, retention limits, or avoidance of backups/sync. Although the file is encrypted, it is still high-value payment material paired with local tooling and workflow instructions, so careless storage increases the risk of theft, replay attempts, tampering, or later decryption if related secrets are compromised.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The skill explicitly instructs caching spending-permissions data, including owner notes and blocked categories, without any guidance on secure storage, retention limits, or log suppression. That creates a realistic risk that sensitive policy data will be persisted in plaintext, exposed to other tools or users in the agent environment, or reused after permissions change.

External Transmission

Medium
Category
Data Exfiltration
Content
The sub-agent calls this endpoint to retrieve the one-time decryption key:

```bash
curl -X POST https://creditclaw.com/api/v1/bot/rail5/key \
  -H "Authorization: Bearer $CREDITCLAW_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "checkout_id": "r5chk_abc123" }'
Confidence
72% confidence
Finding
curl -X POST https://creditclaw.com/api/v1/bot/rail5/key \ -H "Authorization: Bearer $CREDITCLAW_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "checkout_id": "r5chk_abc123" }' ``` **Re

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal