ClawHub

VISA Virtual Cards | Manage compatible cards, wallets & payments

v2.3.4

VISA Virtual Cards | Manage compatible cards, wallets & payments. Financial management for Agents and OpenClaw bots.

0· 167·0 current·0 all-time
by@jononovo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (virtual cards, wallets, payments) match the declared API base, endpoints, and required env var (CREDITCLAW_API_KEY). The documented endpoints (checkout, encrypted-card flow, stripe x402, top-ups, webhooks) are coherent with a payments/virtual-card management skill.
Instruction Scope
Runtime docs instruct the agent to perform sensitive operations (retrieve one-time AES-256-GCM decryption keys, decrypt card details in memory, complete checkouts, confirm results, poll status endpoints). That scope is expected for a checkout/virtual-card skill but requires the agent to handle raw card data in-memory and follow strict non-persistence rules (the docs explicitly warn not to store logs). Also the SKILL.md encourages fetching companion docs from creditclaw.com — harmless but implies network fetches of remote docs at runtime.
Install Mechanism
Instruction-only skill with no install spec and no binaries to install — lowest-risk install mechanism. All calls are to creditclaw.com; no third-party download URLs or extract steps are present.
Credentials
Only CREDITCLAW_API_KEY is required and declared as the primary credential. That single API key is proportionate to the stated purpose. The docs explicitly warn never to send the API key to other domains.
Persistence & Privilege
always:false (normal). disable-model-invocation:false means the skill may be invoked autonomously (the platform default). Because this skill can spend real funds, autonomous invocation increases blast radius if owner-side guardrails are loosened — however the default account mode is documented as approval_mode: ask_for_everything and server-side guardrails are described. Users should be aware of the financial implications of enabling autonomous agents with this skill.
Assessment
This skill appears to be what it says: a CreditClaw payment/virtual-card integration that needs only CREDITCLAW_API_KEY. Before installing or enabling it for an autonomous agent, consider the following: - Treat CREDITCLAW_API_KEY like a sensitive secret and do not expose it anywhere else; follow the skill's warning. Rotate the key if you suspect leakage. - The agent will retrieve one-time decryption keys and decrypt card details in memory. Ensure your agent runtime can hold secrets securely and will not log or persist decrypted card data (PCI considerations). - By default the service uses approval_mode: ask_for_everything, but owners can change settings. If you plan to allow autonomous spending, require strict per-transaction and daily limits, domain allowlists, and require approval above small thresholds. - Test in sandbox / staging first (the docs reference sandbox/test flows) and monitor webhook logs, transaction history, and owner notifications. Restrict agent network access if you want to limit where it can send sensitive data. - If you need higher assurance, ask the skill publisher for an independent security / PCI attestation and confirm the real production domain and published API docs match these files.

Like a lobster shell, security has layers — review code before you run it.

VISA Virtual Cardsvk971xnkm0nwz8851rr5p4g987982sn9yagentvk971xnkm0nwz8851rr5p4g987982sn9ycardvk971xnkm0nwz8851rr5p4g987982sn9ylatestvk971xnkm0nwz8851rr5p4g987982sn9ypaymentsvk971xnkm0nwz8851rr5p4g987982sn9yvirtualvk971xnkm0nwz8851rr5p4g987982sn9yvisavk971xnkm0nwz8851rr5p4g987982sn9y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvCREDITCLAW_API_KEY
Primary envCREDITCLAW_API_KEY

Comments