Skillv1.0.6

ClawScan security

Find Cheaper Insurance | · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 12:56 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose and credentials line up, but its runtime instructions ask the agent to download, save, and execute files (including a decrypt script delivered with encrypted card files), which is risky and worth caution before installing.
Guidance: This skill appears to do what it claims (enable agent shopping) and only asks for one API key. The main risk is that the workflow requires downloading files from creditclaw.com that can include an embedded decrypt script which the agent (or a spawned sub-agent) is expected to run. Executing code bundled with remote-delivered files can run arbitrary commands and leak data if the remote provider or its hosting is compromised. Before installing: only use this if you trust creditclaw.com; ensure the agent runs in an isolated environment (sandbox, container, or VM); enable strict owner approval (ask_for_everything) and conservative spending limits; verify downloaded files manually before executing any embedded scripts; limit the API key's scope and rotate it if you suspect it was exposed; and avoid reusing the same API key for other services. If you need higher assurance, ask the publisher for details (signing of delivered files, reproducible decrypt tooling, or an alternative flow that doesn't require executing remote scripts).

Review Dimensions

Purpose & Capability: okName/description describe agent shopping and payment rails; the single required env var (CREDITCLAW_API_KEY) and the REST endpoints in the docs are consistent with that purpose. No unrelated credentials or binaries are requested.
Instruction Scope: concernThe SKILL.md and companion docs instruct the agent to download skill files and to save encrypted card files to local paths (e.g., ~/.creditclaw/cards/). The encrypted card file is described as 'self-contained' and includes a decrypt script that the agent (or an ephemeral sub-agent) is expected to run (node decrypt.js <key> ...). Executing code shipped inside remote-delivered files gives that remote source the ability to run arbitrary code in the agent environment and is the main risk here. While this behaviour is explainable for an encrypted-card flow, it materially expands the agent's runtime permissions and attack surface.
Install Mechanism: noteNo formal install spec (instruction-only) — lower baseline risk. However, the docs provide curl commands to fetch and save multiple markdown files and instruct saving card files that embed a decrypt script. Downloading and then executing script content from creditclaw.com (even from their domain) is effectively installing remote code and should be treated as a higher-risk action.
Credentials: okOnly the CREDITCLAW_API_KEY is required and it's the declared primary credential. That matches the service's API-based design. No extraneous tokens, keys, or unrelated env vars are requested.
Persistence & Privilege: notealways is false and autonomous invocation is allowed (normal). The skill does instruct creating local directories and saving files under user home (e.g., ~/.creditclaw/skills and .creditclaw/cards) and to spawn ephemeral sub-agents; this persistence and code execution is expected for the encrypted-card workflow but increases long-term presence on disk and potential for misuse if those files or flows are compromised.