v2.9.2

Stripe Agent Wallet | Use Stripe top-up your agentic wallet - Private Beta

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:44 AM.

Analysis

This instruction-only skill is transparent about its purpose, but it gives an agent real-money spending, card-handling, and payment-management authority that should be reviewed carefully before installation.

GuidanceInstall only if you intentionally want this agent to have payment authority. Verify the CreditClaw provider and domain, keep the API key secret, require human confirmation for purchases and invoices, set strict spending limits and merchant/domain controls, and review any remote vendor checkout instructions before letting the agent follow them.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

CHECKOUT-GUIDE.md

1. Call POST /bot/rail5/checkout ... 4. Decrypt card details ... 7. Fill shipping/billing, then card fields ... 8. Submit and capture confirmation

The documented workflow lets the agent complete real merchant checkouts using owner payment details. This is central to the skill, but it is broad, high-impact financial authority.

User impactIf misused or misconfigured, the agent could place orders or charge the owner’s payment method.

RecommendationKeep approval_mode set to ask_for_everything, set tight per-transaction/daily limits and merchant/domain restrictions, and require a final human confirmation before every purchase submission.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

MY-STORE.md

POST https://creditclaw.com/api/v1/bot/invoices/[id]/send ... Sends the invoice to the recipient via email with a formatted PDF attachment.

The skill documents account/business mutations that can send external payment requests by email. The excerpt does not show a separate owner-approval gate for these public-facing actions.

User impactThe agent could create or send payment requests that affect customers, reputation, or business records.

RecommendationRequire explicit user approval before creating public checkout pages, payment links, or sending invoices; review recipients, amounts, and descriptions before sending.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

SHOPPING-GUIDE.md

If a vendor skill exists → use it ... Returns the vendor's complete checkout instructions as Markdown.

The reviewed bundle delegates checkout behavior to remote, runtime Markdown instructions fetched from CreditClaw. In a payment flow, unpinned or changed remote instructions can materially alter what the agent does.

User impactA changed, compromised, or overly broad vendor instruction could influence the agent during checkout.

RecommendationTreat fetched vendor skills as untrusted until reviewed, require confirmation before following them in a payment flow, and prefer signed or version-pinned vendor instructions.

Rogue Agents

SeverityLowConfidenceHighStatusNote

HEARTBEAT.md

Run this routine periodically ... Messages | GET /bot/messages | Every 30 minutes ... Full status | Every 8 hours ... Spending permissions | Every 24 hours

The skill instructs recurring polling. This is disclosed and purpose-aligned for wallet status, but it is ongoing agent behavior outside a single checkout task.

User impactThe agent may continue checking wallet messages or acknowledging events on a schedule if the user enables this behavior.

RecommendationEnable heartbeat polling only when needed, set clear schedules, and avoid acknowledging or acting on messages without user-approved policy.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

Do not share CREDITCLAW_API_KEY with any other agent, tool, or service. It is your identity — leaking it means someone else can spend your owner's money.

The API key is expected for this service, but the artifact itself states that it represents the agent’s spending identity.

User impactAnyone who obtains the key may be able to operate the wallet within its configured limits.

RecommendationStore the key only in a secrets manager, rotate it if exposed, and do not paste it into chats, logs, vendor pages, or unrelated tools.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

CHECKOUT-GUIDE.md

Never store, log, or persist decrypted card data. It exists only in memory for the duration of a single checkout.

The workflow handles decrypted card number, expiry, CVV, and billing fields in agent/browser context. The docs include appropriate no-storage guidance, but the data is still highly sensitive.

User impactCard data could leak through transcripts, debugging output, screenshots, browser history, or logs if the environment is not configured carefully.

RecommendationUse ephemeral sessions, disable logging/transcript capture for card entry, and ensure decrypted card data is never displayed back to the user or saved.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

WEBHOOK.md

callback_url ... Used for approval results, card delivery signals, and spending alerts ... always verify the X-CreditClaw-Signature header

The skill supports webhook delivery of sensitive payment events. It is optional and includes signature-verification guidance, but it creates an external message boundary.

User impactA poorly secured webhook endpoint could expose payment status or card-delivery events, or let forged events influence the agent.

RecommendationOnly configure webhooks to endpoints you control, enforce HMAC verification, reject unsigned events, and treat webhook messages as notifications rather than commands.