Skillv1.0.0

ClawScan security

CashApp - Give your Claw Agent Cash · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 1:00 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (agent wallets via CreditClaw) matches the requested API key, but the runtime instructions ask the agent to download and execute scripts delivered from the network (embedded decrypt scripts), and they reference runtime tools (node, curl) even though the registry metadata lists no required binaries — these behaviors raise meaningful safety concerns.
Guidance: This skill largely does what it says (a CreditClaw payment wallet) and only asks for one API key, which is appropriate — but there are two things to consider before installing: 1) Missing runtime requirements: The skill's instructions expect tools like curl and node (and the ability to spawn sub-agents), but the registry metadata lists no required binaries. Confirm your environment has the intended runtime (and sandboxing) before enabling this skill. 2) Executing downloaded decrypt scripts: The encrypted-card flow delivers a file that contains an embedded decrypt script and instructs the agent to run it (node decrypt.js ...). Running code delivered from the network is dangerous unless you trust the vendor completely or the runtime enforces strong isolation. Prefer running such code in a verified sandbox/sub-agent with no access to secrets or the host filesystem, and inspect the contents of any decrypt script before executing. Practical steps: - Only use this skill if you trust creditclaw.com and understand the subprocess/sub-agent isolation your agent runtime provides. - Require owner approval for all purchases (set approval_mode to ask_for_everything) until you are comfortable with behavior. - Inspect any card file and embedded decrypt script prior to execution; demand the vendor provide a minimal, auditable decrypt library (not arbitrary scripts embedded into card payloads). - If possible, run the decrypt step in a disposable, network-restricted sandbox so a malicious decrypt script cannot exfiltrate the API key or other files. What would change this assessment to benign: explicit declaration of required binaries (curl, node), a documented, auditable decrypt implementation (or signed/verified artifact) rather than arbitrary embedded scripts, and clear guarantees or measurable evidence that ephemeral sub-agents are strongly sandboxed and cannot leak secrets.

Review Dimensions

Purpose & Capability: noteName/description, API base, and required env var (CREDITCLAW_API_KEY) align with a payment/wallet integration. However, the SKILL.md runtime expects the agent to use tools like curl and node (e.g., 'node decrypt.js') yet the registry metadata listed no required binaries — a mismatch that should be fixed or explained.
Instruction Scope: concernThe instructions direct the agent to download skill and card files from creditclaw.com and to run a decrypt script embedded in delivered card files (node decrypt.js <key> ...). Executing code that arrives inside an encrypted-card payload is high-risk: the decrypt script could perform arbitrary actions (exfiltrate data, access other files, run commands) unless strictly sandboxed. While the skill recommends spawning ephemeral sub-agents to isolate secret handling, that pattern relies on the agent environment implementing proper isolation — which is not guaranteed.
Install Mechanism: noteNo formal install spec (instruction-only) and provided curl URLs point to the vendor domain (creditclaw.com), which is consistent with the homepage. That reduces some supply-chain risk. But the instructions explicitly tell users/agents to save files to ~/.creditclaw and later execute code contained in delivered card files — effectively an ad-hoc code download-and-run workflow that increases risk compared to a vetted package or signed release.
Credentials: okOnly a single credential (CREDITCLAW_API_KEY) is required and is directly relevant to the service. The SKILL.md also explicitly warns not to send the API key to other domains, which is coherent with the purpose.
Persistence & Privilege: noteSkill does not request always:true and is user-invocable (normal). It instructs saving skill files and encrypted card files under ~/.creditclaw/ and recommends creating ephemeral sub-agents; writing to a user directory is plausible for this use-case but does persist downloaded content on disk. Combined with the execute-from-file pattern, persistent files increase attack surface.