Card Credits
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: card-credits Version: 1.0.5 The skill uses high-risk capabilities including shell execution via `curl` and the use of an environment variable (`BRAVE_API_KEY`) to query the Brave Search API. While `SKILL.md` includes explicit security instructions to prevent shell injection and restrict `WebFetch` to specific domains, the use of shell-based network access for a search task is considered a risky behavior under the analysis criteria. No evidence of malicious intent, data exfiltration, or prompt injection was found, and the logic appears aligned with its stated purpose of researching credit card benefits.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If this optional path is used, the card query may be sent to Brave Search through an API request.
The skill documents an optional raw API call through curl. It is limited to search, disclosed, and aligned with the skill's purpose, but users should notice that it depends on an external API path.
If `BRAVE_API_KEY` is available and the runtime also provides `curl`, you may use Brave Search API instead
Use the default WebSearch/WebFetch path unless you intentionally want to configure Brave Search; ensure any curl/API use stays limited to the documented search template.
Providing this key would allow the skill's search request to authenticate to Brave Search under that API credential.
The skill can use an optional API key for Brave Search. This is a credential, but it is disclosed and only tied to the search function.
optionalEnv:
- BRAVE_API_KEYOnly provide a Brave API key if you are comfortable using Brave Search for these lookups, and use a key scoped only to search if possible.