Skillv0.1.3

ClawScan security

AgentSpend · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 21, 2026, 5:42 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions mostly match its stated purpose (paying external APIs), but there are inconsistencies and practical risks you should understand before installing or running it.
Guidance: What to consider before installing/using AgentSpend: - Origin and trust: source/homepage are missing. Verify the package and publisher on npm or a repository before running npx. Unknown origin increases risk. - Files written to disk: the CLI stores credentials at ~/.agentspend/credentials.json and a pending token file. Expect those files to exist; remove them if you uninstall. - Remote code execution: SKILL.md tells you to run 'npx agentspend' which will fetch and run code from the package registry. Only run it if you trust the package source and have reviewed the package contents. - Monetary risk: the tool is designed to make paid requests. Configure strict spending controls first (very low weekly budget, domain allowlist, and use --max-cost on pay commands). Prefer running only 'check' and 'search' until you’ve audited behavior. - Auto-claim behavior: the CLI can auto-claim pending configure tokens and generate an API key locally; ensure no unexpected 'ready_to_claim' tokens exist that could be claimed automatically. - Mitigations: review the package on npm/GitHub, run it in a sandbox/container, set budgets/allowlists before allowing any autonomous runs, and inspect ~/.agentspend/credentials.json after configuration. If you’re not comfortable reviewing the code or verifying the publisher, treat this skill as high-risk and avoid running npx or configuring payment methods.

Review Dimensions

Purpose & Capability: noteThe name/description (manage cards/crypto and pay for external services) align with the code: the CLI talks to https://api.agentspend.co, implements search/check/pay/configure/status flows, and stores an API key for future payments. However the registry metadata declared no config paths or credentials while the CLI actually persists credentials to ~/.agentspend/credentials.json and a pending token file — that runtime behavior should have been declared.
Instruction Scope: noteSKILL.md instructs agents to run npx agentspend commands to search, check, and pay external endpoints and to configure via a browser dashboard. The instructions do not ask for unrelated system files or secrets, but they do instruct creation and use of local credential files and to open a dashboard to add a card — actions outside a purely ephemeral operation and relevant to user funds/identity.
Install Mechanism: concernThe skill is marked 'instruction-only' (no install spec) but the package includes full source and package.json. SKILL.md tells users to run 'npx agentspend', which will fetch and execute a package from the registry (remote code execution). That fetch/execute behavior and the included dependencies (bcryptjs) are legitimate for the task but increase risk because running npx will execute third-party code and the skill will write files to the user's home directory.
Credentials: concernThe registry lists no required env vars or config paths, yet the implementation writes credential files to ~/.agentspend (credentials.json and pending-configure.json). The CLI also generates and stores a local API key and can cause charges against a payment method added through the dashboard — these are sensitive capabilities that were not declared in the metadata and should be considered 'secrets' from a practical perspective.
Persistence & Privilege: noteThe skill persists an API key and pending token to the user's home directory and can auto-claim a pending configure token. It does not request always:true nor modify other skills, but because it can create/use an API key and perform paid requests, autonomous agent invocation could lead to unintended charges unless explicit spending controls (weekly budget, domain allowlist, per-request max-cost) are set and enforced. This combination raises operational risk.