ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AgentFin

v1.0.0

Issue virtual Visa/MC cards funded by USDT. Check balance, get card credentials, fetch OTP codes — all via REST API.

0· 308·0 current·0 all-time
by@elvismusli
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (virtual cards, balance, credentials, OTP) matches the single required credential (AGENTFIN_API_KEY) and the API endpoints described in SKILL.md. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md is instruction-only and limits actions to calling the AgentFin REST API (balance, card sensitive endpoint, inbox/latest-otp, topup, transactions). It does not instruct reading other files, environment variables, or transmitting data to third parties beyond the documented base URL.
Install Mechanism
No install spec and no code files — instruction-only skill (lowest install risk). Nothing is downloaded or written to disk by the skill itself.
Credentials
Only AGENTFIN_API_KEY is required and declared as the primary credential, which is proportionate for an API-based payment/card service.
Persistence & Privilege
Skill is not force-included (always:false) and does not request persistent system privileges or modification of other skills. Autonomous invocation is allowed by default but not excessive here.
Scan Findings in Context
[no-code-to-scan] expected: Scanner found no code files to analyze; this is expected because the skill is instruction-only (SKILL.md contains curl examples). Absence of regex findings is not evidence of safety; the SKILL.md is the primary surface to review.
Assessment
This skill is internally coherent for controlling a third-party virtual-card service, but it performs very sensitive actions (revealing PAN/CVV, fetching OTPs, moving funds). Before installing: verify the vendor (agentfin.tech) and publisher reputation; only provide an API key with the minimum privileges and rotate it frequently; never store or log PAN/CVV/OTP values in plaintext; enable monitoring/alerts for API key use and unexpected charges; confirm you have legal/contractual right to issue and use cards via this service; consider using an ephemeral or limited-scope key for testing; and treat the skill as high-risk if you cannot validate the provider or its regulatory compliance.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a75ywmq9dhsrbczdpq3gt8s820jkm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💳 Clawdis
EnvAGENTFIN_API_KEY
Primary envAGENTFIN_API_KEY

SKILL.md

AgentFin — Virtual Cards for Agents

You have access to the AgentFin API. Use it to check your balance, get virtual card credentials for online purchases, and fetch OTP codes for 3DS verification.

Authentication

All requests require a Bearer token. Use the AGENTFIN_API_KEY environment variable.

Authorization: Bearer $AGENTFIN_API_KEY

Base URL: https://agentfin.tech/api

Endpoints

Check Balance & Card Status

curl -H "Authorization: Bearer $AGENTFIN_API_KEY" \
  https://agentfin.tech/api/me

Response includes balance (USD string), card object with maskedPan and status, and depositAddress for USDT top-ups.

Get Card Credentials (for online purchases)

curl -H "Authorization: Bearer $AGENTFIN_API_KEY" \
  https://agentfin.tech/api/cards/{cardId}/sensitive

Returns pan, cvv, expiryMonth, expiryYear, cardHolderName, billingAddress. Rate limited to 10 requests/minute.

Important: Use the cardId from the /api/me response (card.cardId field).

Fetch Latest OTP Code (for 3DS verification)

curl -H "Authorization: Bearer $AGENTFIN_API_KEY" \
  https://agentfin.tech/api/inbox/latest-otp

Returns the most recent email with extracted OTP codes. The extractedCodes field is an array of strings. Use the first element as the verification code.

If a purchase triggers 3DS, wait 10-30 seconds for the OTP email to arrive, then call this endpoint.

Top Up Card Balance

curl -X POST -H "Authorization: Bearer $AGENTFIN_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"amount": 50, "currency": "USD"}' \
  https://agentfin.tech/api/cards/{cardId}/topup

Moves funds from your account balance to the card. The card is prepaid — you cannot spend more than the loaded amount.

View Transaction History

curl -H "Authorization: Bearer $AGENTFIN_API_KEY" \
  https://agentfin.tech/api/me/transactions

Returns all deposits, card charges, top-ups, and refunds.

Typical Purchase Flow

  1. Check balance with GET /api/me — ensure sufficient funds
  2. Get card credentials with GET /api/cards/{cardId}/sensitive
  3. Use PAN, CVV, expiry to fill in payment form on merchant site
  4. If 3DS is triggered, wait ~15 seconds then GET /api/inbox/latest-otp
  5. Submit the OTP code from extractedCodes[0]
  6. Purchase complete

Important Notes

  • The card is prepaid. You cannot spend more than the loaded balance.
  • Card credentials are rate-limited (10/min). Cache them for the duration of a purchase session.
  • OTP codes arrive via email to a dedicated inbox. There may be a 10-30 second delay.
  • Fund the account by sending USDT (TRC20) to the deposit address from GET /api/me.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…