ClawHub

Shop from Adidas - Online with CreditCard

Security checks across malware telemetry and agentic risk

Overview

This is a real-money shopping and payments skill with guardrails, but its packaged and marketplace identities could make users underestimate the breadth of purchasing authority they grant.

Install only if you intend to grant this agent broad CreditClaw payment authority, not merely Adidas shopping or a narrow Stripe wallet. Before use, set low spending limits, prefer approval for every purchase, restrict merchants and categories, protect the CREDITCLAW_API_KEY as a spending credential, and review any shipping address, merchant, amount, payment link, or x402 recipient before allowing transactions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This file describes a materially different capability than the skill manifest: agent-driven Amazon purchasing, owner approval, and order tracking, rather than Stripe/Link wallet top-ups or general wallet usage. That mismatch is dangerous because it can conceal a broader commerce capability from reviewers and users, enabling unintended real-world purchases and operational access beyond the declared scope.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill collects and transmits full shipping-address data for physical fulfillment, which is sensitive personal information and not justified by the stated wallet/top-up description. In context, this expands the skill from payments into real-world goods ordering, increasing privacy risk, data handling obligations, and the chance of unauthorized or excessive personal-data collection.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is presented as a Stripe wallet heartbeat, but it directs the agent to query a third-party CreditClaw service for status across multiple payment rails. This creates a scope mismatch that can mislead operators into exposing wallet metadata, balances, and control state to an external service they may not expect, increasing the chance of unauthorized financial monitoring or misuse.

Description-Behavior Mismatch

Low
Confidence
88% confidence
Finding
A heartbeat routine should be passive status monitoring, but this one escalates to an active financial action by sending a top-up request. That changes the trust boundary from observation to account-affecting behavior and can trigger unintended payment workflows or social-engineering prompts to the human operator.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest identifies the skill as "creditclaw-stripe" with shopping and wallet behavior, while the provided skill context describes a Stripe wallet skill under a different identity. This mismatch can mislead users and security reviewers about the true origin, scope, and trust boundary of the skill, which is especially risky for a payment-capable integration handling credentials and purchases.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The manifest description materially understates the skill’s real capabilities. It presents the skill as a Stripe-powered wallet for top-ups and x402/A2A payments, while the body enables broader shopping, merchant checkout, and payment collection, which can mislead users or orchestrators into granting it more trust or broader invocation than intended.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill can generate payment links to charge arbitrary third parties, but this capability is not reflected in the manifest’s stated purpose. Hidden money-movement features increase the chance of misuse, social engineering, or unexpected activation in environments that only intended to allow wallet funding and spending.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill exposes broad shopping and card-checkout operations that go far beyond the narrow Stripe/x402 wallet framing in the manifest. This mismatch weakens informed consent and can cause policy engines or users to underestimate that the skill can initiate purchases across many merchants.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The description explicitly says the agent can 'shop online' and references funded wallets and payments, but it does not warn that actions may spend real money or create financial liability for the user. In an agentic payments context, missing disclosure increases the chance of unintended purchases, user confusion, and unsafe delegation of payment authority.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The top-up request POST sends financial context and authenticated account information to an external service without an explicit warning or consent checkpoint. In a wallet skill, this is risky because the agent may transmit sensitive operational data and initiate funding-related workflows the user did not realize would occur automatically.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The example shows sending an API bearer token together with detailed shipping PII to an external service, but it provides no explicit warning about secret handling, data minimization, or privacy implications. In a wallet/purchasing skill, this is operationally expected, but the omission can lead users or downstream agents to log, reuse, or expose credentials and personal address data insecurely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This documentation instructs an agent to initiate purchases at arbitrary online merchants but does not prominently warn that successful or approved requests can cause real-world financial transactions. In an agent-skill context, missing this warning materially increases the risk of unintended charges because an operator may treat the action as informational or low-risk automation rather than a payment-capable workflow.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The manifest advertises shopping, wallet, and payment functionality but provides no explicit user-facing warning in the manifest about purchases, fund movement, external API transmission, or owner approval requirements. In a financial skill, missing disclosure increases the chance of unintended transactions or overly broad trust by users and agents, making the context more dangerous than a typical non-payment skill.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The top-level description uses broad, user-friendly language around wallets, purchases, and A2A payments without clearly constraining when the skill should be invoked. In agent ecosystems, vague invocation semantics can trigger unintended use of financial actions in contexts where the user did not mean to enable spending or payment flows.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide explains a real payment-signing and settlement flow for USDC on Base but does not explicitly warn that signatures can move real funds and that blockchain-backed payments may be irreversible or difficult to recover. In an agent skill context, this omission increases the chance that an autonomous system will treat the flow as routine HTTP retry logic rather than a financially sensitive action.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
## How It Works

Self-hosted cards use a split-knowledge privacy model. Your owner provides their own card details through CreditClaw's secure setup wizard — you never see the actual card numbers. When you need to make a purchase at any online merchant, you submit a checkout request. CreditClaw evaluates it against your card's permissions and either auto-approves (if within your allowance) or sends your owner an approval request via email.

**Use this rail for:** Any online store — SaaS subscriptions, cloud hosting, domain registrations, digital services, or any merchant not covered by the Pre-paid Wallet.
Confidence
91% confidence
Finding
auto-approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
1. You submit a checkout request with merchant and amount details
2. CreditClaw evaluates the request against your card's permissions
3. If the amount is within your auto-approved allowance, it processes immediately
4. If the amount exceeds the threshold, your owner receives an approval request (email with secure link)
5. You poll for the result
6. Once approved, the transaction is recorded
Confidence
94% confidence
Finding
auto-approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
## Allowance Thresholds

Your owner sets a per-profile allowance threshold for each card. Purchases within this threshold are auto-approved — no email confirmation needed. Purchases above it require human approval via a secure email link (15-minute TTL).

Your owner can view and adjust these thresholds from their dashboard at `https://creditclaw.com/app/self-hosted`.
Confidence
92% confidence
Finding
auto-approve

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal