CardPointers
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a coherent CardPointers CLI wrapper, but using it means logging into CardPointers and allowing the CLI to read card wallet, offer, and linked-profile data.
Before installing, confirm you trust the CardPointers CLI/Homebrew tap and are comfortable logging into CardPointers from this machine. Use the official API endpoint, be careful with outputs that reveal your cards or offers, and run `cardpointers logout` when you no longer want the local token stored.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill can retrieve your CardPointers wallet, offers, account status, and linked-profile information after you log in.
The skill requires a CardPointers login and stores a JWT token locally, giving the CLI delegated access to the user's CardPointers wallet and account data.
- **Config:** `~/.cardpointers/config` (JWT token, auto-created on login) - **Auth:** Run `cardpointers login` to authenticate
Use it only with a CardPointers account you intend to expose to the agent, avoid sharing outputs publicly, and run `cardpointers logout` if you want to remove the saved token.
Installing the skill requires trusting the CardPointers Homebrew tap and jq package on the local machine.
The skill relies on external Homebrew packages rather than included code. This is consistent with a CLI wrapper, but the installed binaries are outside the reviewed SKILL.md content.
[0] brew | formula: cardpointers/tap/cardpointers | creates binaries: cardpointers [1] brew | formula: jq | creates binaries: jq
Install from the official CardPointers source, keep the CLI updated, and verify the Homebrew formula before use if you have strict supply-chain requirements.
Purchase categories, merchants, amounts, card data, or offer queries may be sent to the configured CardPointers endpoint; an untrusted override could redirect those requests.
The CLI communicates with a CardPointers API/MCP endpoint, and the endpoint can be changed via environment variable.
`CARDPOINTERS_API` | Override API base URL (default: `https://mcp.cardpointers.com`)
Keep `CARDPOINTERS_API` pointed at the official endpoint unless you deliberately trust another server, and avoid sending more purchase detail than needed.