Skillv1.0.0

ClawScan security

SAP Skills - Use SAP for procurement with your agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 12:35 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (shopping on Amazon via CreditClaw) aligns with the single required credential (CREDITCLAW_API_KEY) and its API calls, but there are notable inconsistencies and operational risks you should understand before installing.
Guidance: Key things to check before installing: 1) Confirm the publisher and listing metadata — the skill's displayed name/slug differ from the embedded CreditClaw content; ask the publisher why. 2) Verify creditclaw.com is a legitimate service you trust; the skill will use your CREDITCLAW_API_KEY to move money. 3) Understand file behavior: the instructions suggest downloading and saving files to ~/.creditclaw and saving owner-supplied encrypted card files that include a decrypt.js script. Only install if you trust the remote files and if the agent runtime can sandbox/auto-delete sub-agents and prevent script execution from untrusted files. 4) Avoid running the 'alternative' mode where the main agent executes decrypt steps (this would expose decrypted card data). 5) If you proceed, require manual human approval for any top-up or purchase and monitor owner/dashboard activity; consider keeping the API key in a secrets manager and restrict network access so the key is only used toward creditclaw.com. If you cannot validate the publisher or cannot guarantee sandboxing, do not install.

Review Dimensions

Purpose & Capability: noteThe skill's files and SKILL.md consistently implement an agent shopping/financial capability against creditclaw.com using CREDITCLAW_API_KEY, which is proportionate. However the top-line name shown in the evaluation ('SAP Skills - Use SAP for procurement with your agent') and the registry slug ('sap') do not match the skill content (CreditClaw Amazon shopping). This mismatch between listing metadata and actual files is suspicious and should be explained by the publisher before trusting the package.
Instruction Scope: concernThe runtime instructions tell the agent to call many CreditClaw API endpoints (expected) but also recommend downloading and saving multiple remote Markdown files into ~/.creditclaw/skills/amazon and saving owner-delivered encrypted card files into .creditclaw/cards. The encrypted-card flow explicitly instructs spawning ephemeral sub-agents to run a delivered decrypt.js script (contained in owner-supplied files) to decrypt card data and then execute checkout steps. Executing code delivered inside an encrypted card file (decrypt.js) is a real risk if the environment does not strictly sandbox sub-agents; the documentation relies on sub-agent isolation but also documents an alternative of running the steps in the main agent (which would expose decrypted card data).
Install Mechanism: noteNo formal install spec (instruction-only) — lowest automated install risk. The SKILL.md suggests curl commands to fetch files from https://creditclaw.com; those URLs are consistent and not obscure, but they will write content to the user's home directory if followed. Downloading remote files and placing them under ~/.creditclaw is operationally normal for an instruction-only skill, but it is a persistence action initiated by the agent/user rather than a vetted package installation.
Credentials: okOnly CREDITCLAW_API_KEY is required and is the declared primary credential. That matches the described API usage and is proportionate for a payments/shopping integration. No other unrelated secrets or config paths are requested.
Persistence & Privilege: noteThe skill does not request elevated platform privileges and is not always-enabled. It recommends storing skill files and owner-supplied card files under dot-directories (~/.creditclaw). Persisting those files is expected for the described flows but creates attack surface (saved decrypt scripts and encrypted card files). The skill instructs spawning ephemeral sub-agents; if your platform cannot enforce strict isolation and automatic deletion, the sub-agent pattern's security guarantees may not hold.