Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Stripe Agent Wallet | Use Stripe top-up your agentic wallet - Private Beta
v2.9.2With CreditClaw and backed by Stripe, you can shop anywhere.
⭐ 3· 1.8k·23 current·25 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, files, and runtime instructions all describe a CreditClaw wallet/checkout integration and the only required secret is CREDITCLAW_API_KEY; nothing in the skill asks for unrelated cloud credentials or system access.
Instruction Scope
The SKILL.md explicitly instructs the agent to request one-time decryption keys, decrypt AES-256-GCM encrypted card blobs, and use browser automation to enter card data on merchant sites. This is consistent with a checkout wallet but is high-sensitivity behavior (CVV/number in memory). The skill warns not to leak the API key and to not persist card data and recommends ephemeral sub-agents for isolation.
Install Mechanism
Instruction-only skill with no install spec and no downloaded code or binaries — lowest install risk.
Credentials
Only CREDITCLAW_API_KEY is required (and appears in skill.json/_meta.json as primaryEnv). No unrelated secrets or system paths are requested. (Minor registry summary mismatch: the provided summary listed Primary credential: none, while metadata files declare CREDITCLAW_API_KEY as primary.)
Persistence & Privilege
always:false and user-invocable:true; SKILL.md/metadata indicate user_confirmed invocation which limits autonomous use. disable-model-invocation is false (the platform default) — this is normal, but because the skill enables spending, users should confirm invocation and review guardrails before enabling.
Assessment
This skill appears internally consistent with its purpose, but it performs very sensitive actions: it will request your CREDITCLAW_API_KEY, fetch one-time decryption keys, decrypt card data (number, expiry, CVV) in memory, and enter that data into merchant checkout pages. Only install if you trust creditclaw.com and the skill author. If you proceed, ensure: 1) the API key is stored in a secure secrets manager and never exposed to other domains; 2) your owner keeps approval_mode conservative (default ask_for_everything) until you trust automated spending; 3) webhook callback URLs and webhook_secret are hosted and stored securely (or use polling instead); 4) guardrails (per-transaction, daily, monthly limits, domain allowlist/blocklist) are configured before enabling the Stripe Wallet rail; and 5) confirm the platform actually spawns ephemeral sub-agents as claimed so decrypted card data is not persisted. If any of these controls are missing or you do not fully trust the provider, do not install the skill.Like a lobster shell, security has layers — review code before you run it.
agentvk9736fntwndhc1z070rjytzvbx82ra8tbuyvk970xb1yqfbw5nkqj5252b3rg1834k96cardvk970xb1yqfbw5nkqj5252b3rg1834k96cardsvk9736fntwndhc1z070rjytzvbx82ra8tcheckoutvk97fzhra2r4hzqxakx3anzyh8h82x83dcreditcardvk970xb1yqfbw5nkqj5252b3rg1834k96latestvk970xb1yqfbw5nkqj5252b3rg1834k96payvk97fzhra2r4hzqxakx3anzyh8h82x83dpaymentsvk970xb1yqfbw5nkqj5252b3rg1834k96shopvk970xb1yqfbw5nkqj5252b3rg1834k96shopifyvk97bezhjqgw9bnfm0d3ezs24m9832970shoppingvk970xb1yqfbw5nkqj5252b3rg1834k96stripevk970xb1yqfbw5nkqj5252b3rg1834k96virtualvk9736fntwndhc1z070rjytzvbx82ra8twalletvk9736fntwndhc1z070rjytzvbx82ra8tx402vk970xb1yqfbw5nkqj5252b3rg1834k96
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvCREDITCLAW_API_KEY