ClawHub

Replit Payments - Give your agent a CreditCard

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed payment integration, but it gives an agent real spending, card-decryption, and public commerce powers that need human review.

Install only if you intentionally want an agent to handle real money through CreditClaw. Keep the API key and webhook secret in a secrets manager, require explicit human approval for purchases, set low limits and merchant/domain allowlists, avoid arbitrary merchants, prevent logs or subtasks from capturing decrypted card details, and enable shop, invoice, or payment-link features only when you specifically need them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documented merchant support materially expands the skill from a Replit-focused payments/wallet capability into general e-commerce purchasing. That scope drift is dangerous because an agent or user relying on the manifest may not expect arbitrary merchant ordering, increasing the chance of unauthorized real-world spending and misuse.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file states that CreditClaw can place real orders with merchants on the user's behalf, which is a materially higher-risk action than generic financial management. This mismatch can mislead integrators or end users into granting the skill broader trust than intended, enabling unexpected purchases with financial and physical-world consequences.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The file presents a 'single checkout' decryption model but also instructs the agent to retain encrypted card data for future use and participate in a card-delivery lifecycle. That creates durable possession of highly sensitive payment material and expands the attack surface from one-time use into long-lived storage, webhook/message handling, and key-management workflows.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
Webhook or message-based delivery of encrypted card data, combined with instructions to store it, materially broadens exposure beyond a minimal checkout API. If callback endpoints, bot message stores, or acknowledgements are mishandled, attackers may capture reusable encrypted card blobs and later combine them with key retrieval flows to enable unauthorized purchases.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest advertises the skill as payments and wallet management, but the body also exposes merchant and storefront capabilities such as checkout pages, invoices, seller profiles, and public shops. This scope mismatch can cause an orchestrator or user to authorize a broader business-operation surface than expected, increasing the chance the skill is invoked in contexts involving outbound charging, sales, and data handling without clear consent boundaries.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill includes sales tooling that goes beyond the stated purpose of giving an agent spending power, introducing the ability to create payment links, invoices, checkout pages, and public shops. That expanded authority materially changes the risk profile because the agent can not only spend funds but also initiate commerce flows and interact with third-party customers.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly collects and transmits buyer personal data such as recipient_name, recipient_email, and optionally buyer names, but provides no privacy notice, data handling guidance, retention limits, or warning about transmitting third-party PII to an external payment service. In a payments context this is sensitive operational data, and lack of disclosure or minimization increases privacy, compliance, and misuse risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide instructs users to submit real purchase orders including shipping address information, but it does not clearly warn that this sends sensitive personal data to external services and may result in irreversible real-world purchases. In an agentic context, omission of these warnings increases the risk of privacy loss, accidental deliveries, and unauthorized spending.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The trigger 'You decide a purchase is needed' is overly broad for an autonomous agent handling payments. Ambiguous authorization language can cause the agent to initiate purchases based on weak inference, prompt injection from third-party content, or misclassified tasks, especially because the skill gives direct spending capability.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The manifest requires a sensitive API credential and points to an external financial service, but the file itself provides no visible warning about the sensitivity of the key, the external network access, or the spending/payment capabilities of the skill. In a payments and wallet context, this omission is more dangerous than usual because users may grant a credential that enables real financial actions without clear disclosure of scope and risk.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The top-level description uses broad language like giving the agent spending power and financial management without clearly defining allowed triggers, user-consent gates, or prohibited use cases. In a financial skill, vague invocation conditions are risky because they can lead an autonomous agent to activate registration, wallet polling, or commerce actions in situations where explicit human intent was not established.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal