ClawHub

Buy any shopify product with your claw

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed real-money shopping and payment skill with sensitive capabilities, but the artifacts are coherent and do not show hidden execution or deception.

Install only if you intentionally want an agent to make or request real payments through CreditClaw. Store the API key in a secrets manager, keep ask-for-everything or low spending limits until trust is established, confirm merchant/item/price/shipping details before purchases, and avoid enabling x402 or payment-link workflows unless you understand those money-movement capabilities.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is presented as an online-shopping/payment tool with owner approval, but it also enables generating Stripe payment links to charge arbitrary third parties. That broadens the capability from buying goods to operating as a payment processor/merchant, which is materially different from the declared purpose and increases abuse potential.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill claims to be for shopping online, but it also exposes x402 payment-signing and agent-to-agent payment functionality. This is a broader financial primitive than shopping and could be used for arbitrary value transfer, creating a mismatch between stated purpose and actual authority.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Allowing the agent to create Stripe payment links lets it solicit or receive funds from arbitrary third parties, which is not necessary for an online-shopping skill. This can be abused for unauthorized billing, fraud, social engineering, or running unreviewed commerce flows through the agent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs agents to transmit a full shipping address together with authenticated purchase requests, but it does not include any warning about sensitive data handling, minimization, redaction, or safe storage of the API key. In an agent-skill context, this increases the chance that downstream systems, logs, prompts, or callback handlers expose personal data or credentials during routine use.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This documentation instructs an agent to make cryptographically signed wallet payments and spend owner funds, but it does not include an explicit warning that these actions can cause real financial loss and should require clear user authorization. In an agent skill whose purpose is autonomous purchasing, omission of a prominent financial-risk warning increases the chance of unintended or socially engineered spending.

External Transmission

Medium
Category
Data Exfiltration
Content
### Request x402 Payment Signature

```bash
curl -X POST https://creditclaw.com/api/v1/stripe-wallet/bot/sign \
  -H "Authorization: Bearer $CREDITCLAW_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
88% confidence
Finding
curl -X POST https://creditclaw.com/api/v1/stripe-wallet/bot/sign \ -H "Authorization: Bearer $CREDITCLAW_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
-H "Authorization: Bearer $CREDITCLAW_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "resource_url": "https://api.example.com/v1/data",
    "amount_usdc": 500000,
    "recipient_address": "0x1234...abcd"
  }'
Confidence
85% confidence
Finding
https://api.example.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Use the `x_payment_header` value as-is in your retry request:
```bash
curl https://api.example.com/v1/data \
  -H "X-PAYMENT: eyJ0eXAiOi..."
```
Confidence
84% confidence
Finding
https://api.example.com/

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
**You must follow these rules:**
- If `approval_mode` is `ask_for_everything`, ask your human before any purchase to get their approval. **New accounts default to this mode.** Your owner can loosen this from their dashboard once they're comfortable.
- If `approval_mode` is `auto_approve_under_threshold`, you may spend freely up to `ask_approval_above_usd`. Anything above that requires owner approval.
- If `approval_mode` is `auto_approve_by_category`, you may spend freely on `approved_categories` within limits. All others require approval.
- **Never** spend on `blocked_categories`. These are hard blocks enforced server-side and will be declined.
- Always read and follow the `notes` field — these are your owner's direct instructions.
Confidence
89% confidence
Finding
auto_approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
**You must follow these rules:**
- If `approval_mode` is `ask_for_everything`, ask your human before any purchase to get their approval. **New accounts default to this mode.** Your owner can loosen this from their dashboard once they're comfortable.
- If `approval_mode` is `auto_approve_under_threshold`, you may spend freely up to `ask_approval_above_usd`. Anything above that requires owner approval.
- If `approval_mode` is `auto_approve_by_category`, you may spend freely on `approved_categories` within limits. All others require approval.
- **Never** spend on `blocked_categories`. These are hard blocks enforced server-side and will be declined.
- Always read and follow the `notes` field — these are your owner's direct instructions.
- Cache this for up to 30 minutes. Do not fetch before every micro-purchase.
Confidence
89% confidence
Finding
auto_approve

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal