ClawHub

CreditClaw Amazon

Security checks across malware telemetry and agentic risk

Overview

This is a broad CreditClaw payment-automation skill with real purchase, wallet, webhook, and storefront authority, not just a simple Amazon shopping helper.

Treat this as a privileged payment and commerce automation skill. Install only if you intentionally want an agent connected to CreditClaw to place purchases, handle payment-card workflows or saved payment methods, manage wallet/profile/webhook data, and create storefront or payment assets; use restricted credentials, require explicit approval for every transaction, and verify the publisher and backend controls before connecting real payment accounts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (44)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file declares a purchase/checkout capability for a third-party card service despite the skill metadata claiming an Amazon/Shop App search function. That mismatch is a strong sign of hidden functionality and capability laundering: a user or platform reviewing the skill for benign shopping/search behavior would not expect card-backed checkout flows and purchase execution instructions.

Context-Inappropriate Capability

Critical
Confidence
100% confidence
Finding
This section instructs the agent to retrieve a decryption key and decrypt payment card data, then map PAN/CVV/expiry/name/address into checkout fields. In the context of a skill advertised as search-oriented, enabling access to usable card credentials is highly dangerous because it facilitates unauthorized payment instrument use and materially increases fraud and data-exposure risk.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The guide directs browser automation to detect merchant payment forms, fill shipping/billing/card fields, submit purchases, and confirm results. That exceeds the stated skill purpose and converts the skill into a generalized purchase-execution agent, which is especially dangerous when combined with decrypted card handling and opaque external approval flows.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file documents CreditClaw wallet, profile, and webhook-management operations, which are unrelated to the declared amazon-checkout / Shopify search purpose. This kind of capability mismatch is dangerous because it can hide unauthorized access to financial history and account configuration behind an innocuous skill label, increasing the chance of deceptive installation or misuse.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Access to wallet transactions and the ability to modify bot profile or callback URLs are unjustified for an Amazon checkout skill and create powerful out-of-scope capabilities. An attacker could use these functions to inspect financial activity or redirect webhooks to infrastructure they control, enabling account takeover of integrations, data interception, or persistence.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file's functionality is materially different from the declared skill purpose: instead of Amazon checkout or Shopify Shop App search, it exposes a generic payment/storefront platform with checkout pages, invoices, payment links, webhooks, and shop publishing. This mismatch can cause an agent or reviewer to grant capabilities under false assumptions, enabling unexpected money collection, public storefront publication, and external callbacks far beyond the advertised scope.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file materially exceeds the declared Amazon-only skill scope by introducing a generic multi-platform procurement router and merchant-discovery flow. In an agent context, this scope expansion can cause the agent to access unrelated external vendors and follow purchase workflows the user did not authorize, increasing the risk of unintended transactions and data exposure.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The CreditClaw vendor-discovery API introduces a new external capability unrelated to the stated Amazon checkout purpose, enabling enumeration and retrieval of third-party merchant skills. This broadens the trust boundary and can redirect an agent into arbitrary checkout instructions from external sources, which is especially risky because the content is effectively executable guidance for purchase flows.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
Labeling the document as only a pre-checkout decision point understates that it also instructs full browsing, product selection, checkout routing, and payment-form identification. This misleading framing can bypass operator expectations and safety controls, causing an agent to perform more consequential commerce actions than reviewers or users anticipated.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest advertises a narrow Amazon checkout capability, but the skill actually introduces a much broader financial platform with bot registration, wallet management, cross-merchant purchasing, storefront sales, and webhook features. This scope mismatch is dangerous because users or orchestrators may grant trust or permissions based on the declared purpose while the skill enables materially broader financial actions.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Self-registration and owner-linking let the agent create a new financial identity and initiate activation workflows that exceed the stated Amazon checkout purpose. That expands the blast radius from a simple checkout helper into account provisioning and wallet enrollment, which could be misused to establish payment capability without clear user understanding.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The file advertises merchant discovery, storefront creation, and selling features unrelated to Amazon checkout. These unrelated procurement and sales capabilities broaden what the agent can do with payment-linked infrastructure and make abuse or user confusion more likely.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The manifest claims to be an Amazon checkout skill, but its homepage, repository, and API endpoint all point to an unrelated CreditClaw service. This mismatch is a strong indicator of deceptive packaging or capability laundering, where a user may grant trust and permissions to a skill whose real backend serves a different purpose than advertised.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Requesting a CREDITCLAW_API_KEY for a skill described as Amazon checkout is unrelated to the stated functionality and creates unnecessary credential exposure risk. A misleading skill can trick operators into supplying secrets for a third-party service, enabling unauthorized API use, data access, account abuse, or covert exfiltration through the remote backend.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file is materially inconsistent with the declared skill purpose of Amazon checkout via Shopify Shop App search and instead introduces a separate CreditClaw/OpenClaw payment workflow. That mismatch is a strong indicator of hidden capability injection: a user or reviewer expecting Amazon/Shopify behavior would instead enable arbitrary payment checkout logic tied to card decryption and external payment operations.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
These instructions explicitly retrieve a decryption key, decrypt payment-card data, and use it to complete checkout at arbitrary merchants. In the context of an Amazon/Shop App search skill, this is highly dangerous because it grants broad payment execution capability unrelated to the advertised function and could facilitate unauthorized purchases or card misuse.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The file adds autonomous sub-agent spawning with inherited credentials and delegated execution, which meaningfully expands the agent's authority beyond the stated search use case. Hidden delegation mechanisms are dangerous because they can obscure actions from the primary agent context, complicate oversight, and enable unauthorized external actions under inherited authentication.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill metadata says this capability is for a Shopify Shop App search function, but the content documents full Amazon authentication, checkout navigation, payment selection, and final order placement. This creates clear scope expansion from search into transactional purchasing, which is dangerous because an agent using this guide could authenticate to a user account and complete purchases beyond the declared purpose.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
These lines instruct the agent to select a saved card, confirm shipping details, and click the final order button, despite the skill being described as search-oriented. In context, this is an unjustified high-risk action because it enables real-world financial transactions and shipment commitments from a capability that users and reviewers would reasonably expect to be non-transactional.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documented sign-in flow captures and submits Amazon account credentials and handles authentication state, which exceeds a search-only purpose. Even without raw card entry, authenticated account access is sensitive and increases the blast radius to orders, addresses, saved payment methods, and account data if the agent misuses or mishandles the session.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This guide documents end-to-end checkout actions, including entering decrypted payment-card data into merchant forms across multiple payment processors. That capability materially exceeds the stated skill purpose of Amazon/Shop App search and enables autonomous purchase completion on arbitrary sites, increasing the risk of unauthorized transactions and misuse of sensitive payment data.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The generic fallback for unknown sites broadens the skill from a narrowly described Amazon/Shop App search function into a universal shopping/checkout browser automation guide. This scope drift is dangerous because it lets the agent operate on arbitrary merchant sites outside the user's expected context, making abuse and unintended purchases more likely.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The documentation explicitly instructs the agent to use decrypted card number and CVV values, which is highly sensitive financial data handling unrelated to the stated search-only purpose. Exposing a skill to decrypted payment credentials dramatically raises the risk of payment fraud, data leakage, and unauthorized transaction execution.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file contains end-to-end instructions for completing a live Shopify checkout, including shipping, payment iframe handling, and final purchase submission, which materially exceeds the stated skill purpose of Amazon checkout via Shopify Shop App search. This scope expansion is dangerous because it enables autonomous real-money purchases on arbitrary third-party stores without clear business justification or user-protection boundaries.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The guide explicitly teaches entry of card number, expiry, CVV, and cardholder name into Shopify-hosted payment iframes and proceeds to submit payment on third-party stores. Because the declared skill purpose does not justify handling raw payment credentials, this creates unnecessary exposure of highly sensitive financial data and enables unauthorized or unintended transactions.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal