Skillv1.0.0

ClawScan security

Shop on Dell - Give your Claw Agent a credit card · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 2:42 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's title promises an agent that can accept a credit card for purchases, but the provided instructions are marketing/buying guidance with no declared payment integration or credentials — this mismatch could be benign (poor labeling) or misleading, so proceed with caution.
Guidance: This skill's name implies it can accept a credit card and make purchases, but the instructions are only product and buying information and the skill declares no credentials or payment integration. Do not provide your credit card details to the skill. Before installing, verify the skill's source (official Dell affiliation), ask the publisher how payments are processed (tokenized gateway, never raw card storage), and require explicit, documented environment variables or OAuth flows for any payment capability. If you want an agent to make purchases, prefer skills that clearly document secure payment hooks, or perform purchases manually via the vendor website instead.

Review Dimensions

Purpose & Capability: concernThe skill name and description imply an agent that can browse and purchase on behalf of the user (and the title explicitly suggests giving the agent a credit card). However, the SKILL.md metadata declares no credentials, no required env vars, and no payment integration. That mismatch (promised purchasing capability vs. no mechanism to accept or use payment credentials) is incoherent and unexplained.
Instruction Scope: noteThe SKILL.md content is essentially product information, sales channels, and how-to-buy guidance (marketing and links). It does not contain runtime instructions for autonomous purchasing, collecting payment details, or calling Dell APIs. The instructions therefore do not match the 'give your agent a credit card' implication — the agent would have no documented, authorized way to complete purchases.
Install Mechanism: okThis is an instruction-only skill with no install spec, no code files, and no downloads. From an install-mechanism perspective there is no disk-write or package-install risk.
Credentials: concernNo environment variables, credentials, or config paths are declared despite the skill's claim of enabling purchases. A purchasing-capable skill would normally request or document a payment token, gateway credentials, or at least point to a secure payment flow; the absence here is disproportionate to the implied capability and raises questions about how payment would be handled.
Persistence & Privilege: okThe skill does not request 'always: true' and is user-invocable only. It does not declare any actions that would modify other skills or system settings. No elevated persistence is requested.