ClawHub

Block for OpenClaw - Spend anywhere or request payment from anyone.

Security checks across malware telemetry and agentic risk

Overview

This skill is a real-money payment tool whose Amazon-shopping label understates broader spending, card-handling, and seller-payment powers.

Install only if you intentionally want an agent to handle broad CreditClaw payment workflows, not just Amazon purchases. Keep per-purchase approval enabled, restrict merchant/domain permissions, protect CREDITCLAW_API_KEY like a payment credential, avoid main-agent card decryption, and inspect or sandbox any delivered decrypt script and remote companion files before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The file for an Amazon-shopping skill materially expands scope to Shopify and arbitrary URL-based purchases, enabling broader commerce actions than the skill metadata suggests. This can mislead users or downstream agents into authorizing purchases from less constrained merchants, increasing abuse risk and reducing the effectiveness of Amazon-specific guardrails.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
Labeling this as a companion to the Amazon skill while documenting generic Crossmint purchasing creates a scope mismatch that can cause users, reviewers, or agents to trust capabilities they did not intend to enable. In a purchasing context, ambiguous scope is dangerous because it can normalize broader buying authority and obscure what merchants and transactions are actually permitted.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file is presented as part of an Amazon shopping skill, yet it explicitly broadens scope to arbitrary merchant checkout and real-world card handling. This capability expansion weakens the user's ability to understand where payment credentials may be used and increases the chance of unintended purchases at non-Amazon destinations.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documented checkout flow instructs the agent to complete purchases at merchants such as DigitalOcean, which is inconsistent with the stated Amazon shopping purpose. This mismatch creates a confused-deputy risk where a user may authorize an Amazon shopping skill but the agent gains generalized purchasing ability elsewhere.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill directs the agent to execute a self-contained Node.js decrypt script delivered inside a card file, which is effectively instruction to run code from externally supplied content. Even if intended for decryption, this introduces arbitrary code-execution risk in the agent environment, especially because the file arrives via webhook/messages and is then run locally.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest frames this as an Amazon shopping skill, but the document exposes a much broader financial platform including wallet management, cross-rail payments, and merchant selling features. This scope mismatch can mislead users and agents into granting a shopping skill capabilities far beyond what they expect, increasing the chance of unsafe delegation and over-privileged use.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill includes seller-facing capabilities such as payment links, invoices, checkout pages, seller profiles, and public shops, which are unrelated to the stated purpose of shopping on Amazon. These extra capabilities materially expand the attack surface from purchasing to money collection and public commerce, enabling misuse that a user would not reasonably infer from the skill name.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The example shows transmission of a bearer token, full shipping address, product details, and price to a live purchase endpoint without prominent privacy, safety, or approval warnings. Because these are real purchase instructions tied to sensitive personal and account data, users or agents may submit real orders or expose PII without understanding the consequences.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The instructions tell the agent to save an encrypted card file locally under a predictable path without prominent warnings, storage controls, or lifecycle requirements. Although encrypted, the file is payment-related material paired with a later key-retrieval flow, so local persistence increases theft, misuse, backup leakage, and accidental exposure risks.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs the agent to send authenticated requests that retrieve wallet status, balances, spending limits, and guardrail data, but it provides no user-facing warning that sensitive financial metadata will be transmitted to an external service. In a payment-related skill, this omission matters because operators may not realize the heartbeat routine continuously discloses account state and permissions over the network using a bearer token.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill references a bearer credential in command examples without any warning about secure storage, non-disclosure, or avoiding exposure through shell history, logs, screenshots, or error output. Because this API key appears to authorize access to wallet status and spending controls across active payment rails, mishandling it could allow unauthorized insight into financial data and potentially abuse of connected payment functionality.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill provides shell commands that create directories and write multiple files into the local filesystem without an explicit warning that these commands modify persistent state. In agentic settings, this can lead to unintended local changes or silent skill installation when the user only intended to inspect documentation.

External Transmission

Medium
Category
Data Exfiltration
Content
The sub-agent calls this endpoint to retrieve the one-time decryption key:

```bash
curl -X POST https://creditclaw.com/api/v1/bot/rail5/key \
  -H "Authorization: Bearer $CREDITCLAW_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "checkout_id": "r5chk_abc123" }'
Confidence
88% confidence
Finding
curl -X POST https://creditclaw.com/api/v1/bot/rail5/key \ -H "Authorization: Bearer $CREDITCLAW_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "checkout_id": "r5chk_abc123" }' ``` **Re

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal