MasterCard AgentPay | Compatible compatible cards, wallets & payments
WarnAudited by ClawScan on May 10, 2026.
Overview
This appears to be a payment-spending integration, but it deserves careful review because it gives an agent real financial authority and has branding/provenance ambiguity.
Install only if you intentionally want this agent to have delegated payment capabilities. Before providing CREDITCLAW_API_KEY, verify CreditClaw and any Mastercard compatibility claims, pin or re-check the exact documentation version, start with ask-for-everything approval and low limits, secure webhook endpoints, and monitor the owner dashboard for all spending.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user might install it believing it is officially tied to Mastercard rather than evaluating it as a CreditClaw payment service.
The registry uses official-sounding MasterCard AgentPay branding, but the artifacts and homepage are for CreditClaw and the source is unknown. For a financial skill, this could cause users to over-trust the integration or assume an affiliation not evidenced by the artifacts.
Name: MasterCard AgentPay | Compatible compatible cards, wallets & payments ... Source: unknown ... Homepage: https://creditclaw.com
Verify the vendor, domain, and any claimed Mastercard AgentPay compatibility or affiliation before providing an API key or payment access.
Payment behavior could depend on remote documentation that changes after installation or differs from the reviewed registry package.
The skill tells the agent to retrieve live remote instruction files at runtime. For a financial skill, mutable remote instructions and the observed version mismatch create a provenance gap: the instructions used later may differ from the reviewed artifacts.
Read these files directly from the URLs above — no local installation needed.
Prefer pinned, reviewed skill files; verify versions match; and re-review any remote documentation before allowing autonomous spending.
If configured, the agent may be able to make real purchases and handle sensitive card details under the CreditClaw guardrails.
The skill intentionally delegates payment-card use to the agent. This is disclosed and purpose-aligned, but it is still high-impact account and financial authority.
You decrypt the card details for a single transaction using a one-time key from the API ... Use the decrypted card details to complete checkout at DigitalOcean.
Use the lowest practical limits, keep approval mode set to ask-for-everything until trusted, disable recurring charges unless needed, and monitor/freeze the wallet if behavior looks wrong.
An agent with the API key could send payment requests or create customer-facing checkout artifacts through the CreditClaw account.
The skill documents account-mutating and externally visible business actions such as sending invoices and creating payment pages. These actions fit the stated commerce purpose, but users should notice that they can affect third parties.
Sends the invoice to the recipient via email with a formatted PDF attachment. Only draft invoices can be sent.
Require human review for invoice sending, public storefront changes, and customer-facing payment links unless the agent is explicitly trusted for those tasks.
Sensitive encrypted payment data could be delivered to a configured callback endpoint, so endpoint security and logging controls matter.
The skill supports automatic delivery of encrypted card data through webhook/message flows. The visible documentation does not show webhook signature or origin-validation details.
Via webhook: If you have a callback_url, the card details are delivered automatically
Use only trusted HTTPS callback URLs, validate webhook authenticity if supported, restrict access to webhook logs, and avoid forwarding payloads to other tools or agents.
A changed spending policy or note could cause the agent to ask for fewer approvals or make different purchase decisions.
The skill includes persistent local spending-policy text that the bot is expected to treat as authoritative before purchases. If that file is modified by an unintended party, it could influence future financial decisions.
Your bot reads this file before every purchase ... Your bot will read and follow these.
Protect spending.md from unauthorized edits and treat server-side CreditClaw guardrails as the authoritative control for spending limits.
The agent may repeatedly contact CreditClaw to check wallet status if a scheduler or user enables that routine.
The skill suggests periodic autonomous status polling. This is disclosed and limited to status/spending checks, with no hidden background code shown.
CreditClaw Heartbeat (suggested: every 30 minutes) ... Run this routine periodically
Schedule heartbeat checks only if needed, keep them read-only, and do not let periodic routines initiate purchases without explicit policy approval.