CashApp - Give your Claw Agent Cash

Security checks across malware telemetry and agentic risk

Overview

This skill is a real-money payment and shopping wallet that mostly matches its stated purpose, but it needs careful review because it gives agents broad spending, card-handling, and personal-data authority.

Install only after deciding that this agent should have controlled real-money spending ability. Keep ask-for-everything approval enabled, set low limits, use a dedicated API key in a secrets manager, avoid main-agent card decryption, inspect remotely fetched or delivered scripts before execution, store encrypted card files in a restricted non-synced location, and require explicit confirmation before orders, invoices, payment links, public shop changes, or top-up requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The file documents Crossmint-backed purchasing and merchant-order placement that materially expands and conflicts with the stated Stripe/Link wallet purpose in the skill metadata. This discrepancy can mislead operators and agents about the real capabilities available, increasing the chance of unauthorized purchasing behavior or unsafe invocation of undocumented commerce flows.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: This documentation describes a capability to place real merchant orders using shipping addresses, which is substantially more sensitive than a generic wallet top-up or payment skill. In an agent context, this expands the action surface from transferring funds to purchasing physical goods and handling personal delivery data, creating higher risk of abuse, unauthorized orders, and privacy violations.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill instructs the agent to execute a local Node.js script embedded in or delivered with the card file in order to decrypt highly sensitive payment data. Executing delivered code creates a code-execution trust boundary failure: a compromised or tampered card file could run arbitrary local code, exfiltrate secrets, or persist malware, which is far more dangerous than a normal wallet/checkout capability.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The document markets the sub-agent model as ensuring the main agent never sees decrypted card data, but then explicitly permits the main agent to run the same checkout flow directly and access plaintext card details. This contradiction can mislead operators into believing the design provides stronger data isolation than it actually does, increasing the chance that card data is exposed in primary agent context, logs, tools, or memory.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly supports collecting buyer-identifying data such as name and email and returning that data in sales records, but it provides no privacy warning, consent guidance, retention guidance, or data-handling limitations. In a payments context this increases the risk that an agent operator will collect and process personal data without appropriate user notice or minimization.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The invoice workflow instructs the user to create invoices that are later sent to recipient_email, and elsewhere payment links are intended to be sent to payers, but the skill does not clearly warn that this triggers or facilitates outbound communication to third parties. That omission can cause agents to contact external recipients unexpectedly, leading to privacy, consent, spam, or abuse issues.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The guide instructs users to submit full shipping addresses for purchases but does not clearly warn that this personal data will be transmitted to CreditClaw, Crossmint, and downstream merchants. Omitting this disclosure weakens informed consent and can cause accidental exposure of sensitive personal information through third-party systems.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill tells the agent to save a self-contained encrypted card file to disk under a predictable local path, but provides little operational guidance about host-level risks such as filesystem permissions, backups, synchronization, malware scanning, accidental commits, or retention. Even though the file is encrypted, it is a durable payment artifact paired with a retrievable key workflow, so local persistence broadens the attack surface and may aid later compromise.

External Transmission

Medium

Category: Data Exfiltration
Content: ## Purchase Request ```bash curl -X POST https://creditclaw.com/api/v1/card-wallet/bot/purchase \ -H "Authorization: Bearer $CREDITCLAW_API_KEY" \ -H "Content-Type: application/json" \ -d '{
Confidence: 87% confidence
Finding: curl -X POST https://creditclaw.com/api/v1/card-wallet/bot/purchase \ -H "Authorization: Bearer $CREDITCLAW_API_KEY" \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal