ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CreditClaw - Give your Claw Agent a credit card - spend anywhere

v1.3.2

Let your agent shop online with guardrailed wallets, multiple payment methods, and owner approval.

1· 686·0 current·0 all-time
by@jononovo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is a payment/checkout helper and only requires CREDITCLAW_API_KEY and access to creditclaw.com APIs; that credential is exactly what a remote payment service would need. No unrelated credentials, binaries, or system paths are requested.
Instruction Scope
SKILL.md instructs the agent to call CreditClaw endpoints (GET /bot/status, POST /bot/merchant/checkout, stripe-wallet endpoints, etc.) and to include Authorization: Bearer $CREDITCLAW_API_KEY. It also suggests optionally downloading the skill files into ~/.creditclaw/skills (via curl), which writes remote content to disk — this is outside pure in-memory operation but is consistent with storing companion docs. There are no instructions to read unrelated local files or send the API key to domains other than creditclaw.com (the document explicitly warns against that).
Install Mechanism
This is an instruction-only skill with no install spec and no code files to execute. The only potentially persistent action shown is optional curl commands to fetch docs from creditclaw.com; those downloads come from the skill's stated homepage and are not arbitrary or obfuscated URLs.
Credentials
Only one environment variable (CREDITCLAW_API_KEY) is required and marked as primary; that is appropriate and proportionate for a remote payment API. The SKILL.md uses that single credential for Authorization headers and does not reference other secrets.
Persistence & Privilege
The skill is user-invocable and not always-on. It does suggest saving files into the user's home (~/.creditclaw/skills) which creates persisted documentation on disk. Autonomous invocation is allowed by default (platform normal), so consider whether you want the agent to have any ability to act without immediate human confirmation — however the skill's default described behavior (approval_mode: ask_for_everything) is conservative.
Assessment
This skill appears internally consistent for letting an agent make purchases through CreditClaw. Before installing: 1) Only provide a CREDITCLAW_API_KEY you trust — create a limited-scope key if possible and rotate it if compromised. 2) Keep the agent's approval_mode restrictive (ask-for-everything) until you trust its behavior so it cannot spend without your sign-off. 3) Review the remote docs (https://creditclaw.com) yourself before using the provided curl-save commands; saving remote files to ~/.creditclaw/skills persists content that could change if the site is compromised. 4) Do not paste the API key into other services or prompts; follow the skill's own guidance to only send it to creditclaw.com. If you need greater assurance, request source or a privacy/security policy from the vendor (creditclaw.com) or limit the agent to manual, human-invoked flows only.

Like a lobster shell, security has layers — review code before you run it.

creditcardvk976s8me6c32gcpcr3rhqc5v5182nf4jlatestvk976s8me6c32gcpcr3rhqc5v5182nf4jpayvk976s8me6c32gcpcr3rhqc5v5182nf4jshopvk976s8me6c32gcpcr3rhqc5v5182nf4j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvCREDITCLAW_API_KEY
Primary envCREDITCLAW_API_KEY

Comments