ClawHub

Chase Bank - Give your Claw Agent a credit card

Security checks across malware telemetry and agentic risk

Overview

This real-money payment skill is internally documented, but its listing understates and misbrands the financial powers it grants.

Review before installing. Verify the CreditClaw/Chase branding, protect CREDITCLAW_API_KEY like a payment credential, keep approval required for every transaction unless you intentionally choose otherwise, set low limits and blocked categories, and review the remote guide files before enabling payment links, x402 payments, subscriptions, or broad online purchases.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The manifest describes the skill as only shopping for tickets, but the body documents broad purchasing across merchants, SaaS, cloud services, and more. This scope mismatch can mislead users, reviewers, or policy gates into granting a far more powerful financial capability than intended.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The manifest omits that the skill can create payment links and collect funds from third parties, which materially expands its operational and fraud surface beyond purchasing. Hidden money-in capabilities reduce transparency and can cause users to authorize a skill without understanding it can solicit or receive payments.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Charging third parties via payment links is unrelated to the stated purpose of shopping tickets online and represents a materially broader financial action. In context, this creates unnecessary capability expansion that could be abused for unauthorized invoicing, social engineering, or unreviewed funds collection.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Agent-to-agent payments and x402 signing go beyond ticket purchasing and introduce additional payment rails with different trust and abuse characteristics. These capabilities expand the blast radius from simple consumer purchases to broader programmable financial transfers and signatures.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to send an authenticated POST to `/bot/wallet/topup-request`, which creates a real funding request on the user's account, but it does so as part of an automated heartbeat flow without a prominent warning that this is a state-changing action. In an agent setting, periodic background execution increases the chance of repeated or unsolicited financial requests, which can annoy users, create approval fatigue, or trigger unintended wallet/account workflows.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
**You must follow these rules:**
- If `approval_mode` is `ask_for_everything`, ask your human before any purchase to get their approval. **New accounts default to this mode.** Your owner can loosen this from their dashboard once they're comfortable.
- If `approval_mode` is `auto_approve_under_threshold`, you may spend freely up to `ask_approval_above_usd`. Anything above that requires owner approval.
- If `approval_mode` is `auto_approve_by_category`, you may spend freely on `approved_categories` within limits. All others require approval.
- **Never** spend on `blocked_categories`. These are hard blocks enforced server-side and will be declined.
- Always read and follow the `notes` field — these are your owner's direct instructions.
Confidence
90% confidence
Finding
auto_approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
**You must follow these rules:**
- If `approval_mode` is `ask_for_everything`, ask your human before any purchase to get their approval. **New accounts default to this mode.** Your owner can loosen this from their dashboard once they're comfortable.
- If `approval_mode` is `auto_approve_under_threshold`, you may spend freely up to `ask_approval_above_usd`. Anything above that requires owner approval.
- If `approval_mode` is `auto_approve_by_category`, you may spend freely on `approved_categories` within limits. All others require approval.
- **Never** spend on `blocked_categories`. These are hard blocks enforced server-side and will be declined.
- Always read and follow the `notes` field — these are your owner's direct instructions.
- Cache this for up to 30 minutes. Do not fetch before every micro-purchase.
Confidence
90% confidence
Finding
auto_approve

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal