Checkout.com - Integrate with Agentic Payments & Wallets

Security checks across malware telemetry and agentic risk

Overview

This is a real agent-payments skill, but its provider identity and some money-moving/card-handling capabilities are under-disclosed enough to require careful review before use.

Install only if you intentionally want a CreditClaw-powered agent to handle real spending, card checkout, wallet payments, invoicing, and storefront/payment-link creation. Keep ask-for-everything approvals enabled, set low limits, protect and rotate the CREDITCLAW_API_KEY, avoid delegating decrypted card data to secondary agents, and treat buyer emails and shipping addresses as sensitive personal data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (13)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The file documents a Crossmint wallet purchasing flow that is explicitly noted as draft and not listed in the skill manifest, while the skill metadata describes PayPal-compatible payments and wallet functions. This creates a capability mismatch that can mislead users, reviewers, or agents about the true scope of actions the skill enables, especially since it can trigger real-world purchases.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The documentation expands from generic payments into merchant order placement for Amazon, Shopify, and arbitrary URLs, including delivery to a provided shipping address. That materially broadens the real-world effect of the skill beyond the declared scope and increases the risk of unauthorized or unexpected purchases of physical goods.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: This is a real security concern because the skill explicitly instructs an agent to decrypt payment card data and use it to perform purchases on arbitrary merchant websites. Even with approval and one-time keys, granting an autonomous agent access to full cardholder data materially expands the attack surface, enables misuse at untrusted sites, and creates PCI/data-handling risk if the agent, tools, or browser automation are compromised.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The returned spawn_payload introduces agent orchestration behavior that is broader than necessary for a card decryption/checkout API and could cause sensitive payment operations to be delegated to secondary agents with weaker controls. That increases the chance of card data exposure, inconsistent policy enforcement, and unreviewed autonomous actions during checkout.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The heartbeat content is materially inconsistent with the declared PayPal skill and instead directs the agent to a different provider's authenticated wallet APIs. In an agent-skill context, this can silently reroute sensitive financial telemetry and operational decisions to an unrelated third party, creating a strong risk of deceptive capability substitution, unauthorized data exposure, and misuse of stored API credentials.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The manifest identifies the skill as "creditclaw" while the supplied skill context describes it as a PayPal-compatible skill named "paypal". This kind of identity mismatch can mislead operators about which service will receive credentials and payment-related requests, increasing the risk of accidental trust, misconfiguration, or credential disclosure to an unintended provider.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The manifest describes the skill as wallet and spending management, but the documented API also enables public commerce features like payment links, checkout pages, invoices, seller profiles, and a public shop. That capability mismatch can cause an agent or reviewer to authorize a much broader financial surface area than expected, increasing the chance of unintended money movement or exposure to external customers.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill exposes public commerce and storefront-management operations that go beyond a narrow wallet/spending purpose. In an agent environment, hidden or under-justified sales capabilities can let the agent create externally reachable payment surfaces, invoices, or shops that interact with third parties, broadening fraud, abuse, and reputational risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly documents collection and return of buyer personal data such as buyer name and email, but provides no privacy notice, consent guidance, retention limits, or handling requirements. In a payments context, exposing or encouraging collection of PII without safeguards can lead to privacy violations, overcollection, and downstream misuse by agents integrating the API.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The invoice flow allows sending payment-related emails to third-party recipients, but the skill does not warn that this causes outbound communications or discuss abuse risks such as spam, misdelivery, or unauthorized invoicing. In an agent setting, this can be misused to contact arbitrary people and create reputational, compliance, and harassment risks.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The purchase flow handles real orders, charges funds, and transmits sensitive shipping information, but the documentation does not prominently warn that these actions have real-world consequences and privacy implications. In an agent context, unclear safety messaging increases the chance of users or automated systems submitting irreversible purchases or exposing personal address data without informed consent.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The routine instructs periodic authenticated calls that retrieve wallet balances, spending limits, cards, and guardrails, but provides no warning about the sensitivity of this financial data or guidance on minimizing retention and disclosure. In practice, agents may surface, log, cache, or forward this information unnecessarily, increasing the risk of privacy leakage and financial reconnaissance if logs or conversations are exposed.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The manifest uses broad wording such as giving an agent spending power and financial management without clear trigger constraints or task boundaries. Broad invocation language can cause the orchestration layer to surface this high-risk financial skill in overly general contexts, increasing the chance of accidental registration, wallet use, or payment actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal