MoneyClaw
ReviewAudited by ClawScan on May 1, 2026.
Overview
MoneyClaw is a clearly scoped payment skill, but it handles real prepaid payment authority and card execution details, so users should verify amounts, merchants, and auto-approval settings before using it.
Before installing, verify that you trust MoneyClaw and the publisher, keep prepaid balances limited, disable agent auto-approval unless you intentionally want it, and require the agent to confirm the exact merchant domain, amount, and currency before retrieving card details or continuing checkout.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this key can inspect account payment state and retrieve details needed to complete a checkout when the documented conditions are met.
The API key is expected for this payment service, but it gives access to wallet state and payment execution details such as card/billing credentials.
This skill requires one MoneyClaw API key... GET /api/me for wallet readiness... GET /api/payment-intents/:intentId/credentials only when the task is card_ready
Use a dedicated prepaid balance, keep the key private, revoke or rotate it when no longer needed, and only allow credential retrieval for a payment step you explicitly approved.
If auto-approval is enabled, an agent action could spend prepaid funds within the task scope without an additional dashboard confirmation.
The skill can create payment tasks that may move toward approval without a dashboard click if the account has agent auto-approval enabled. The artifacts bound this by merchant, amount, and user intent.
When that flag is on, API-key-created payment tasks can be auto-approved within the merchant and amount scope of the task.
Leave agent auto-approval disabled unless you intentionally want it, and verify the exact merchant domain, amount, and currency before each payment task.
Some prepaid funds may be reserved for the shared execution card and reused later, which could surprise users expecting only the current purchase amount to be moved.
A first payment setup can affect later payment state by reserving more than the immediate purchase amount onto a reusable hidden card, though this behavior is disclosed.
MoneyClaw may reserve the provider minimum initial deposit onto that shared hidden card even if the current task amount is smaller. Any residual stays on the same hidden card for later tasks.
Check wallet and task state after first use, and understand any provider minimum deposit before approving the initial hidden-card bootstrap.
If used, the agent could help enable merchant mode, create invoices, or change payment collection settings for the authenticated account.
The included reference documents merchant-side account mutation and invoice setup beyond the primary buyer-side payment flow, but it is explicitly gated to user-requested merchant collection.
Use this reference only when the user explicitly wants merchant-side payment collection... POST /api/acquiring/setup... creates merchant settings... generates a webhook secret... enables merchant mode
Only use the acquiring flow if you intend to accept payments, save webhook secrets securely, and review any webhook URL or invoice details before applying changes.
The main risk is trust in the service and publisher rather than hidden local code execution.
There is no local code to install or execute, but the registry source is unknown, so users are relying on the published instructions and the external MoneyClaw service.
Source: unknown; No install spec — this is an instruction-only skill; No code files present
Verify the provider, homepage, and API key setup before connecting a real payment account.