Skillv1.0.6

ClawScan security

CitiBank Claw | Buy anyone online with CreditClaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 1:22 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's runtime instructions and files mostly match a payment/wallet service, but there are several inconsistencies (declared credentials mismatch, a potentially misleading name, and instructions to fetch/write files from an external site) that warrant caution before installing or granting any API keys.
Guidance: This skill appears to implement a wallet/payments API and legitimately needs one API key (CREDITCLAW_API_KEY). Before installing or providing any secret: (1) verify the publisher and that creditclaw.com is a legitimate service you trust (the skill name uses “CitiBank” but the service is creditclaw.com — that mismatch is suspicious); (2) confirm the registry metadata: the skill files declare CREDITCLAW_API_KEY but the registry entry omitted required env vars — ask the publisher to explain the discrepancy; (3) do not paste your API key anywhere except calls to https://creditclaw.com/api/* and only after you confirm ownership and terms; (4) avoid running the provided curl install commands unless you trust the domain and understand that they will write files into your home directory; (5) if you plan to allow autonomous agent spending, ensure the owner's approval_mode and per-transaction limits are set conservatively and that you monitor activity from the dashboard. If you are unsure about the publisher or why the registry metadata is inconsistent, treat this skill as high-risk and seek additional verification before use.
Findings: [no_regex_findings] expected: The static/regex scanner had no findings, which is expected because this is an instruction-only skill with no code files to analyze. Absence of findings is not evidence of safety — the SKILL.md itself is the primary attack surface.

Review Dimensions

Purpose & Capability: concernThe SKILL.md and skill.json describe a payment/wallet service (CreditClaw) and the API endpoints needed to register, check balance, and spend — which is coherent with the advertised purpose. However the skill name shown to users includes “CitiBank” (CitiBank Claw) while all endpoints and homepage point to creditclaw.com; this is misleading. Also registry metadata supplied with the skill states 'no required env vars / no primary credential', but both SKILL.md and skill.json declare a CREDITCLAW_API_KEY credential — an internal inconsistency that could hide the need to provide a secret.
Instruction Scope: concernThe SKILL.md explicitly instructs the agent to use an API key and provides curl commands that reference $CREDITCLAW_API_KEY and endpoints on creditclaw.com. It also suggests running curl commands to download SKILL.md and heartbeat.md into ~/.creditclaw/skills/, which directs agents/users to fetch and write files from a third-party domain. The instructions do not try to read unrelated system files, but they do rely on an environment variable (the API key) even though the registry metadata omitted that requirement.
Install Mechanism: noteThere is no formal install spec in the registry (instruction-only), which is lower risk from automatic installers. The included 'install locally' snippet uses curl to download files from https://creditclaw.com into the user's home directory — a non-reviewed third-party download. No archive extraction or binary install is shown. Risk is moderate and depends on whether the user actually runs those curl commands.
Credentials: concernThe skill legitimately needs one service credential (CREDITCLAW_API_KEY) to call its API endpoints. However, the registry metadata indicates no required env vars while the SKILL.md and skill.json declare CREDITCLAW_API_KEY as required — an incoherent declaration. Requiring a single API key is proportionate for a payments API, but the metadata mismatch is a red flag that the registry entry may be incomplete or tampered with.
Persistence & Privilege: okThe skill is not always-enabled and allows normal user invocation. There is no install spec that creates system services or requests elevated privileges. The only persistent action suggested is writing files to ~/.creditclaw/skills/ if the user chooses to run the provided curl commands — that is local and user-initiated.