ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CreditClaw Wallet

v2.9.5

Give your agent spending power.

2· 726·1 current·1 all-time
by@creditclaw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is described as giving the agent spending power and the only required environment variable is CREDITCLAW_API_KEY. All documented API calls, checkout flows, and browser automation steps directly map to that purpose.
Instruction Scope
The SKILL.md and companion guides instruct the agent to request approvals, retrieve a one-time decryption key, decrypt card data in-memory, and type card details into merchant checkouts. This is expected for a wallet/checkout skill but is inherently sensitive because the agent will handle raw card data and interact with third-party merchant pages. The files include explicit security guidance (do not leak the API key, discard decrypted card data).
Install Mechanism
Instruction-only skill (no install spec, no downloaded code). This minimizes installation risk — nothing is written to disk by the package itself.
Credentials
Only a single credential (CREDITCLAW_API_KEY) is requested, which is proportional for a service that authorizes spending. The instructions consistently use that key and do not request unrelated secrets.
Persistence & Privilege
always:false (normal). The skill allows autonomous invocation (disable-model-invocation:false), which is the platform default; combined with possession of CREDITCLAW_API_KEY this enables the agent to initiate spend flows autonomously if approval mode permits. The skill documentation emphasizes default 'ask_for_everything' approval, but owners should verify their configured approval mode before enabling the skill.
Assessment
This skill is internally coherent for giving an agent spending power, but it performs highly sensitive actions: it will request approval, retrieve single-use decryption keys, decrypt card details in memory, and command the agent to type card data into third-party merchant pages. Before installing, verify you trust the vendor (CreditClaw), store the CREDITCLAW_API_KEY securely, and ensure the owner's approval mode is strict (e.g., ask_for_everything) so the agent cannot spend without explicit owner confirmation. Note minor metadata inconsistencies in the package manifest (some files claim a homepage and primaryEnv while the registry summary omitted them); confirm the skill's source (homepage/repo) and review any platform-level webhook callback URLs you register. Finally, treat this skill as high-sensitivity: limit which agents get the key, monitor transaction logs closely, and revoke/freeze the wallet immediately if anything unexpected occurs.

Like a lobster shell, security has layers — review code before you run it.

agentvk97dthp64w7nsyqmr9n85w03xh830qgdagentpayvk97dthp64w7nsyqmr9n85w03xh830qgdamazonvk975b6f2a024p2kk7kmdzg6my182qnnabuyvk97dthp64w7nsyqmr9n85w03xh830qgdcardvk973awv0717z13kb6edpv3n2qs83m4szcheckoutvk975b6f2a024p2kk7kmdzg6my182qnnaclawvk97dthp64w7nsyqmr9n85w03xh830qgdcreditvk97dthp64w7nsyqmr9n85w03xh830qgdcreditcardvk973awv0717z13kb6edpv3n2qs83m4szcreditclawvk973awv0717z13kb6edpv3n2qs83m4szlatestvk973awv0717z13kb6edpv3n2qs83m4szpayvk975b6f2a024p2kk7kmdzg6my182qnnapaymentvk97dthp64w7nsyqmr9n85w03xh830qgdpaymentsvk973awv0717z13kb6edpv3n2qs83m4szprocurementvk97dthp64w7nsyqmr9n85w03xh830qgdshopvk973awv0717z13kb6edpv3n2qs83m4szshoppingvk973awv0717z13kb6edpv3n2qs83m4szvirtualvk973awv0717z13kb6edpv3n2qs83m4szwalletvk975b6f2a024p2kk7kmdzg6my182qnnax402vk975b6f2a024p2kk7kmdzg6my182qnna

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvCREDITCLAW_API_KEY

Comments