Skillv1.0.0

ClawScan security

VenmoClaw - Give your Claw Agent a credit card - They can spend anywhere or request payment · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 12:59 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (letting an agent spend money via CreditClaw) is plausible and the single requested secret (CREDITCLAW_API_KEY) is appropriate, but the runtime instructions ask the agent to write and decrypt sensitive card files, spawn ephemeral sub-agents, and run a node decrypt script while the skill metadata does not declare those platform requirements—this mismatch and the fallback that lets the main agent decrypt cards are concerning.
Guidance: This skill is coherent with a payment integration and the single required env var (CREDITCLAW_API_KEY) makes sense, but there are several red flags to consider before installing: - The docs instruct the agent to save encrypted card files and to run a decrypt script (node decrypt.js). Confirm whether your environment provides a safe, isolated 'sub-agent' mechanism; if not, the skill explicitly says the main agent can decrypt the card, which would expose full card numbers/CVV to the agent and any logs—avoid that unless you understand and accept the risk. - The skill assumes you can run 'node' and spawn ephemeral sessions, but the skill metadata does not declare 'node' or sub-agent requirements. Ask the publisher to list required binaries/runtime and to remove the fallback that exposes decrypted cards to the main agent. - The manifest URLs point to creditclaw.com (consistent), but verify you trust that domain and its security practices before handing over an API key or saving card files. Treat the API key like a full-payment credential — do not reuse it elsewhere. - If you proceed, ensure the agent's filesystem and logs are secured (no persistent logging of decrypted card data), confirm sub-agent deletion behavior, and consider limiting the skill's autonomous invocation or adding human approval thresholds. If you cannot verify sub-agent isolation, node availability, or the publisher's trustworthiness, do not install or provide the CREDITCLAW_API_KEY.

Review Dimensions

Purpose & Capability: noteThe name/description match the behavior: the skill calls a single payment API (creditclaw.com) and requires CREDITCLAW_API_KEY, which is proportional. However, the instructions also assume the ability to save files under ~/.creditclaw and .creditclaw/cards and to spawn ephemeral sub-agents and execute 'node decrypt.js'—capabilities not declared in required binaries or config paths. That mismatch is unexpected.
Instruction Scope: concernSKILL.md and companion docs explicitly instruct the agent to download and save skill files and encrypted card files, retrieve single-use decryption keys, and run a decrypt script (node decrypt.js). They recommend spawning an ephemeral sub-agent to avoid exposing decrypted card details, but they also give an explicit 'Alternative' that allows the main agent to run the decrypt steps if sub-agents are unavailable. That alternative expands scope to direct handling of full card PAN/CVV data in the main agent context, which contradicts the privacy claims and grants broad discretion to the agent.
Install Mechanism: noteThere is no formal install spec (instruction-only), which reduces installer risk. The docs include curl commands that download multiple files from creditclaw.com into ~/.creditclaw — the URLs point to the stated homepage/domain (creditclaw.com), which is consistent, but the act of writing scripts and card files to disk is effectively an installation step not declared in the manifest.
Credentials: okOnly CREDITCLAW_API_KEY is requested and declared as primaryEnv; that is expected for a payment integration. There are no unrelated credentials requested. However, the skill instructs processes that will handle highly sensitive data (decrypted card numbers), which is a data-sensitivity concern even if env var requests are minimal.
Persistence & Privilege: noteThe skill is not forced-always and allows normal autonomous invocation. It asks the agent to persist files under home paths (~/.creditclaw, .creditclaw/cards) and suggests saving decrypt scripts and card files locally; these are permissions to write to the agent's filesystem but do not attempt to modify other skills or system-wide settings. The lack of declared config paths in the manifest is an inconsistency to be aware of.