CreditClaw Amazon
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: amazon-checkout Version: 2.9.5 The skill bundle provides a framework for AI agents to conduct automated e-commerce transactions via the "CreditClaw" service (creditclaw.com). It includes high-risk instructions for agents to retrieve decryption keys, handle raw credit card data, and automate browser-based checkouts on platforms like Amazon and Shopify (SKILL.md, CHECKOUT-GUIDE.md). While the documentation details several security measures—such as ephemeral sub-agents (agents/OPENCLAW.md), server-side guardrails, and mandatory owner approval—the complexity of the instructions and the requirement for agents to process sensitive financial information in a browser environment present a significant security risk. No clear evidence of malicious intent was identified, but the high-privilege nature of the tasks warrants a suspicious classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing this may give an agent authority to operate a broader financial/payment account than a user would expect from an Amazon checkout skill.
The skill presents as an Amazon checkout skill but documents much broader financial authority, including card spending, wallet payments, and storefront management.
name: amazon-checkout ... description: Amazon Checkout ... CreditClaw.com is a financial enablement platform ... Accept card details ... make purchases ... A stablecoin wallet ... Storefronts and product management
Only install if you intend to use the full CreditClaw financial platform. Keep approval mode set to ask for every purchase, set strict spending limits, and ensure the registry description and credential declarations accurately reflect the real scope.
A remote vendor instruction could change after installation and influence a high-impact checkout flow without being statically reviewed here.
The skill tells the agent to fetch and follow remote, mutable checkout instructions that are not included in the reviewed files.
If a vendor skill exists → use it ... Get a Vendor Skill ... Returns the vendor's complete checkout instructions as Markdown.
Treat remotely fetched vendor instructions as untrusted until reviewed, require explicit user confirmation before following them, and prefer pinned or locally bundled versions for payment workflows.
An agent with the API key could create public payment artifacts or send invoices, creating external business or reputational effects beyond simple shopping.
The bundled docs expose public payment-page and email-invoice actions that are not clearly part of an Amazon checkout task.
Create public checkout pages where anyone can pay you ... Send Invoices ... POST /bot/invoices/[id]/send ... Sends the invoice to the recipient via email
Separate selling/invoicing capabilities into a distinct skill or require explicit, per-action user approval before creating checkout pages, payment links, or sending invoices.
If approvals or spending limits are too loose, the agent could complete real purchases with the owner's funds.
The core checkout flow intentionally lets the agent drive browser/API actions to complete purchases. This is purpose-aligned, but financially sensitive.
Once approved → call POST /bot/rail5/key ... Decrypt card details ... Fill shipping/billing, then card fields ... Submit and capture confirmation
Keep owner approval enabled, verify merchant, item, and amount before checkout, and stop on CAPTCHA, OTP, 3DS, or unexpected order-review screens.
Card data could be exposed if logs, transcripts, memory, or screenshots capture it during checkout.
The skill explicitly handles decrypted card data in agent/browser context, while also documenting appropriate ephemeral handling.
Never store, log, or persist decrypted card data. It exists only in memory for the duration of a single checkout. Discard it immediately after.
Use ephemeral checkout contexts or sub-agents, disable persistent memory/logging for card entry, and verify that decrypted card values are never saved in chat history or files.
A misconfigured or untrusted callback URL could receive sensitive sales, payment, or balance information.
The skill documents webhook delivery of financial and buyer information to a configured callback URL.
CreditClaw fires webhooks to your callback_url ... wallet.sale.completed ... buyer_email ... new_balance_usd
Only set callback URLs you control, store webhook secrets securely, and verify webhook signatures before acting on events.