ClawHub

MetaMask Payments -

Security checks across malware telemetry and agentic risk

Overview

This is a real payment-agent skill, but its MetaMask branding is inconsistent with broad CreditClaw spending, card, shopping, invoicing, and storefront powers that deserve human review.

Install only if you intend to trust CreditClaw with agent spending and commerce workflows. Use a limited, revocable API key, keep approval mode strict, confirm merchant/domain/amount/address before each purchase, avoid the encrypted-card rail unless your agent can isolate card handling, and treat invoice/customer/shipping data as sensitive third-party disclosure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill metadata says this is a MetaMask wallet skill, but the file actually documents a different third-party payment platform and broader checkout/invoicing/shop features. This kind of capability/identity mismatch is dangerous because an agent or operator may grant trust, permissions, or financial authority based on the manifest while the skill performs materially different payment operations.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill explicitly instructs the agent to navigate to merchant-controlled and test checkout URLs and complete purchases, which grants broad browser automation over arbitrary third-party pages. In a payments skill, that materially expands the attack surface to phishing pages, malicious checkout flows, and unintended submission of sensitive payment data outside a tightly constrained domain model.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file is packaged under a MetaMask skill but documents a CreditClaw encrypted card system with different APIs, trust boundaries, and capabilities. This manifest-to-behavior mismatch can mislead users and automated policy systems into granting permissions or trust appropriate for a wallet skill while actually enabling card handling, decryption, webhook processing, and browser-based purchasing flows.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest presents the skill as a MetaMask wallet integration, but the body documents a much broader third-party financial platform with registration, custodial spending rails, webhook delivery of sensitive payment material, and merchant/sales features. This mismatch can mislead users and agents into granting financial capabilities they did not intend to enable, increasing the chance of overbroad use and unsafe trust decisions.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill advertises spending power and financial management, but also includes storefronts, payment links, invoices, and seller-profile functionality that materially expand its authority into merchant operations. That scope expansion is dangerous because an agent or operator may enable the skill for purchasing while unintentionally exposing revenue collection, public commerce, or customer-facing financial actions.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill explicitly supports collecting buyer names and other customer information, but it provides no privacy notice, minimization guidance, or warning that personal data will be transmitted to an external payment service. In an agent setting, that can cause silent disclosure of PII to third parties and noncompliant handling of customer data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The invoice flow sends recipient data and a PDF invoice over email, but the skill does not warn that customer information will be transmitted externally or that email/PDF delivery may expose sensitive billing details. For an autonomous agent, this can trigger unintended disclosure of personal or commercial information to third parties.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document instructs an agent to transmit sensitive personal and transactional data, including full shipping addresses and purchase details, to an external service without any privacy, minimization, retention, or consent guidance. In a wallet/purchasing skill, this is more dangerous because the agent is explicitly granted spending authority and may process real user PII and order data in automated flows.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill uses broad trigger language such as using the workflow whenever the agent needs to make a purchase, without narrow eligibility criteria, prohibited use cases, or clear confirmation requirements. In a financial skill, vague invocation boundaries materially increase the risk of accidental or prompt-induced spending behavior, even if some server-side guardrails exist.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The document enables real-money wallet operations and payment signing but does not prominently warn that actions can spend actual funds or expose sensitive financial activity. In an agent skill context, this increases the chance that an operator or downstream agent invokes payment flows without informed consent or adequate review.

External Transmission

Medium
Category
Data Exfiltration
Content
Once the checkout is approved, call this endpoint to retrieve the one-time decryption key:

```bash
curl -X POST https://creditclaw.com/api/v1/bot/rail5/key \
  -H "Authorization: Bearer $CREDITCLAW_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "checkout_id": "r5chk_abc123" }'
Confidence
89% confidence
Finding
curl -X POST https://creditclaw.com/api/v1/bot/rail5/key \ -H "Authorization: Bearer $CREDITCLAW_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "checkout_id": "r5chk_abc123" }' ``` **Re

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal