Openclaw
ReviewAudited by ClawScan on May 10, 2026.
Overview
CardZero is a disclosed payment-wallet skill, so the main risk is expected: the agent can use CardZero credentials to initiate USDC payments if you configure it.
Install only if you want the agent to operate a CardZero USDC wallet. Use a small balance as the skill recommends, configure spending limits in the CardZero dashboard, and require explicit approval for every payment.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or improperly confirmed payment could spend funds from the configured wallet.
The skill can initiate real payments and purchases, but the visible instructions disclose this purpose and require confirmation before payment.
“Make payments — Send USDC to any address” ... “Pay x402 paywalls — Automatically pay for HTTP 402-protected resources” ... “Before every payment ... ask for confirmation first”
Keep a low wallet balance, set strict per-transaction and daily limits, and only approve payments after checking the amount, recipient, and reason.
Anyone or any agent with the API key may be able to operate the wallet within the owner’s rules.
The skill requires a CardZero API key and wallet ID, which are expected for this integration but grant delegated access to wallet operations.
“All endpoints except Create Wallet require your API Key” ... “Store it as CARDZERO_API_KEY.”
Use a dedicated low-balance wallet, store the API key securely, revoke it if exposed, and avoid pasting it into unrelated conversations or tools.