Skillv1.0.7

ClawScan security

Block for OpenClaw - Spend anywhere or request payment from anyone. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 1:05 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose and required credential (CREDITCLAW_API_KEY) align with an agent payment integration, but the runtime instructions ask the agent to download files and execute provider-supplied decrypt scripts — a high-risk pattern that should be reviewed before installing.
Guidance: This skill is coherent with its stated purpose (an agent-facing payments API) and only requests one expected credential (CREDITCLAW_API_KEY). However, before installing: - Understand that the API key grants the skill authority to initiate purchases and top-up requests — treat it like a spending credential and only install if you trust creditclaw.com and the account owner. - The runtime expects you to download files from creditclaw.com and save them to ~/.creditclaw/; those files may include executable decrypt scripts which the agent is instructed to run (node decrypt.js). Running provider-supplied scripts is effectively remote code execution. If you cannot review or sandbox those scripts, do not install. - Prefer the strictest approval mode (Ask me for everything) so the agent cannot auto-spend. Require owner approval for any real purchase and avoid enabling auto-approve options unless you fully trust the integration. - If possible, enforce the sub-agent pattern or other sandboxing so decrypted card data never appears in the main agent context. If your environment cannot spawn isolated sub-agents, consider not enabling the Encrypted Card rail. - Audit any downloaded card files and decrypt scripts before executing. Confirm the domain (creditclaw.com) and owner relationship out-of-band if this came from an unknown source. Given the remote-download + execute pattern and the financial blast radius of a leaked or abused API key, proceed only after reviewing the provider, limiting approval modes, and ensuring sandboxing of decrypt/checkout execution.

Review Dimensions

Purpose & Capability: okName/description (agent shopping with guardrailed wallets) match the single required env var (CREDITCLAW_API_KEY) and the API endpoints referenced. Requested credential is appropriate for a payments API and there are no unrelated environment variables or unrelated binaries required.
Instruction Scope: concernSKILL.md and companion files instruct the agent to download multiple files from creditclaw.com into ~/.creditclaw/, save encrypted card files to .creditclaw/cards/, and execute checkout flows. Critically, encrypted-card.md specifies that each delivered card file contains a decrypt script (node decrypt.js) that the agent is expected to run. Executing provider-supplied scripts and saving/reading card files gives the skill broad ability to execute remote code and access sensitive payment data. The documents also allow fallback to running those steps in the main agent context (exposing decrypted card data) if sub-agents aren't available.
Install Mechanism: concernNo formal install spec, but the README explicitly instructs curl-ing many files from https://creditclaw.com into the user home directory. Downloading and saving arbitrary documents (and decrypt scripts embedded in delivered files) from the provider effectively installs remote code without a vetted package/install mechanism. While the files come from the declared domain, this pattern introduces risk because the downloaded content can contain executable scripts.
Credentials: okOnly CREDITCLAW_API_KEY is required and declared as the primary credential, which is proportional for a payments integration. There are no unrelated secrets requested. The skill also documents that the API key must only be used with creditclaw.com endpoints.
Persistence & Privilege: noteSkill is not always-enabled and is user-invocable (normal). It asks the agent to persist files under ~/.creditclaw/ and .creditclaw/cards/ (suggested paths), which is reasonable for a wallet/checkout skill but increases persistence of provider-supplied artifacts on disk. Spawning ephemeral sub-agents is recommended for secrecy, but a fallback to executing in the main agent is allowed and expands exposure.