Back to skill

Security audit

Stripe Agent Wallet | Use Stripe top-up your agentic wallet - Private Beta

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed payment automation skill, but it gives an agent broad authority to decrypt card data and complete purchases across many sites, so it should be reviewed carefully before use.

Install only if you intentionally want an agent to operate a CreditClaw financial account, handle encrypted card data through an ephemeral checkout flow, and make purchases or create payment pages under your controls. Keep default ask-for-everything approval enabled, set strict spending and domain limits, avoid saved third-party retail accounts unless necessary, verify webhook callback domains, and review every final merchant/order total before allowing card entry or order submission.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (28)

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The management companion expands the skill from shopping into account-management functions such as transaction history and profile/webhook changes, which are not clearly aligned with the stated purpose. This creates a scope mismatch that can mislead users or calling agents into granting broader authority than expected, increasing the chance of unauthorized or unintended account changes.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill documents the ability to modify bot profile fields and rotate webhook configuration, which can change remote account behavior and redirect sensitive callbacks. In a shopping-focused skill, these capabilities are unexpectedly powerful and could be abused to hijack webhook delivery, alter agent identity, or create persistence through external callback control.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file’s declared purpose is a Stripe-backed shopping skill, but the content expands into a general procurement router for many merchants and platforms, including Amazon, Shopify, WooCommerce, Wix, Magento, and vendor-specific skill discovery. This is a significant scope mismatch that can cause an agent or reviewer to trust the skill under a narrow payments label while it actually enables broad purchasing and checkout behavior across unrelated sites.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The vendor-discovery API and merchant-skill enumeration capabilities materially broaden what the skill can do beyond a Stripe-focused checkout helper. This enables the skill to discover and route into a large set of external merchant workflows, increasing the chance of unintended transactions, data disclosure about supported merchants, and hidden expansion of agent behavior beyond what a user would reasonably expect from the skill name and description.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file presents itself as an ephemeral checkout flow, but its actual instructions direct a spawned sub-agent to obtain a decryption key, decrypt full payment card data, and use it on third-party merchant sites. That is a materially more sensitive capability than a generic checkout helper and creates a powerful payment-instrument handling workflow that could be abused for unauthorized purchases or broaden the blast radius if the sub-agent is compromised.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file materially expands the skill's scope from a Stripe-backed shopping integration into full browser automation for Amazon account login, cart management, and checkout on a third-party site. That mismatch is dangerous because it enables credentialed actions and purchases outside the declared trust boundary, increasing the chance of unauthorized account use and deceptive capability creep.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The guide instructs the agent to authenticate to Amazon, select saved payment methods, and place orders, even though the stated skill purpose is Stripe-focused. This creates an unjustified high-risk capability to operate a user's third-party retail account and spend stored funds, which could be abused for unauthorized purchases or account actions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file’s behavior scope materially exceeds the stated Stripe-focused shopping skill by providing a full BigCommerce merchant checkout playbook. That mismatch is dangerous because it broadens where and how the agent can operate, including direct checkout and payment handling on third-party storefronts, reducing user transparency and increasing the chance of unauthorized or unexpected financial actions.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The guide explicitly supports non-Stripe payment handling, including inline card entry and Braintree-related flows, despite the skill being presented as Stripe-backed. This is dangerous because it enables collection and submission of payment credentials across broader processors and form types than users would reasonably expect, increasing the attack surface for sensitive financial data misuse.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file explicitly positions itself as a universal checkout reference for arbitrary merchants, not a Stripe-specific integration guide. That broadens the skill's operational scope beyond its declared purpose and can enable the agent to perform purchasing actions across unrelated sites, weakening user expectations, policy boundaries, and platform-specific safety controls.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
Including Braintree and Adyen handling expands the skill from a Stripe-backed checkout capability into a multi-processor payment automation tool. This increases attack surface and makes the skill usable in contexts far outside what the metadata advertises, which is especially risky for a payments-oriented agent handling sensitive transactions.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The guide goes beyond Stripe-specific behavior and provides generic Magento checkout and payment-entry instructions. In a skill described as Stripe-focused, this broadens the agent's operational scope to facilitate general checkout completion, increasing the chance of unauthorized purchasing behavior and misuse outside the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The file explicitly supports non-Stripe processors such as Braintree, Adyen, and PayPal despite the skill being marketed as Stripe-backed. This materially expands the capability from Stripe integration guidance to broad payment-processor handling, which makes the skill more dangerous because it can assist entry into third-party payment flows unrelated to its declared purpose.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This guide goes far beyond merchant/platform detection and navigation by providing step-by-step instructions to complete checkout, enter payment details, and submit an order. In an agent skill, that materially enables autonomous purchasing behavior, increasing the risk of unauthorized transactions or misuse of stored/decrypted payment data.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The instructions explicitly direct use of decrypted card number and CVV values inside payment iframes, which is highly sensitive financial data handling. Embedding this capability in a shopping skill creates a direct path to payment credential misuse, unauthorized purchases, and potential noncompliant handling of cardholder data.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The PATCH example performs persistent remote changes to account metadata and callback configuration without an explicit warning that the update takes effect immediately. This raises the risk that an agent or user triggers a state-changing action without understanding the consequences, especially when changing the callback URL can affect future event delivery.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly collects and transmits buyer personal data such as recipient names, recipient emails, and buyer emails, but it does not include any privacy notice, data-handling guidance, retention limits, or disclosure obligations. In a payment/invoicing context, omission of privacy and compliance guidance can lead agents or operators to process PII without proper consent, disclosure, or safeguards.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The documentation encourages sharing checkout URLs publicly and publishing storefront content, but it does not warn that these links and shop pages are publicly accessible and may expose product metadata, payment endpoints, and business identity. This can cause accidental overexposure of internal, test, or sensitive offerings by users who assume links are private.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file gives operational instructions for progressing through checkout and identifying/filling payment forms, but it does not present an explicit warning or approval checkpoint for purchase-impacting actions. In a shopping skill, this context makes the omission more dangerous because the documented flow directly facilitates order submission and payment entry, increasing the risk of accidental or unauthorized purchases.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The checkout section tells the agent to select a saved card, confirm shipping details, and click the final order button, but it does not require an explicit final confirmation from the user immediately before purchase. In an automation context, this is dangerous because a mistaken, manipulated, or malicious flow could convert browsing into a real financial transaction using stored payment credentials.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The markdown instructs the agent to enter full card number and CVV into payment fields without any warning, consent language, or handling restrictions for highly sensitive financial data. In this skill context, that is especially dangerous because the agent is positioned to automate shopping, so undocumented card-data handling could normalize unsafe PCI-sensitive behavior and expose users to fraud, data leakage, or noncompliant processing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide instructs the agent to enter decrypted card number and CVV values directly into browser fields, but provides no visible warning, minimization guidance, or handling constraints for highly sensitive financial data. In the context of a universal checkout guide, this is more dangerous because it normalizes card-data use across arbitrary merchant pages, increasing the risk of misuse, accidental exposure, or operation on untrusted sites.

Missing User Warnings

High
Confidence
98% confidence
Finding
The instructions direct the agent to type decrypted card number and CVV into payment fields, including iframe-based processors, without any warning, consent gating, or handling restrictions for highly sensitive financial data. In this skill context, that is especially dangerous because it operationalizes payment credential use during checkout, creating clear risk of financial fraud, unauthorized transactions, and PCI-sensitive data exposure.

Missing User Warnings

High
Confidence
96% confidence
Finding
The checkout flow instructs the agent to fill shipping data, enter card information, click the final payment button, and verify order completion, but provides no requirement for explicit user confirmation before charging the card. That absence of a consent boundary makes accidental or unauthorized purchases much more likely in an automated setting.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill gives step-by-step instructions for entering decrypted payment card data and CVV into Stripe Elements, but provides no explicit warning, restriction, or consent requirement around handling highly sensitive financial data. In an agent skill context, this normalizes automated processing of cardholder data and can enable unsafe collection, display, or misuse of PCI-regulated information if the surrounding system is not tightly controlled.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.