ClawHub

AMEX | Give your Agent your CreditCard

Security checks across malware telemetry and agentic risk

Overview

This payment skill is not clearly malicious, but it gives agents broad spending and selling authority and handles real card data in ways that need careful review.

Review before installing. Only use this if you trust CreditClaw and the publisher, verify the AMEX-branded listing is not implying an affiliation it does not have, keep approval-required spending limits enabled, prefer a low-limit virtual card, avoid the main-agent card-decryption fallback, do not run delivered decrypt scripts outside a sandbox, store secrets in a proper secret manager, and manually review any invoice, payment-link, shop-publishing, top-up, or real-purchase action before allowing an agent to execute it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The document introduces a live purchase endpoint that enables placing real merchant orders, while the skill metadata emphasizes wallet provisioning and strict controls and the file is explicitly noted as not listed in the manifest. This hidden capability materially expands what the skill can do and can mislead reviewers, users, or agents into invoking a sensitive purchasing action without appropriate visibility or policy review.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The documented top-up workflow enables an agent to trigger owner-notification and owner-funded replenishment requests, creating a pathway for financially sensitive actions beyond passive shopping. In an agent-skill context, this can be abused for repeated social-engineering prompts or unauthorized spending escalation if explicit human consent and policy controls are weak or absent.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest description materially understates the skill's capabilities. Although it claims to provide payment wallets and strict controls, the file also documents merchant features such as payment links, invoices, checkout pages, and sales operations, which expands the trust and risk surface beyond what a user would reasonably expect from the description alone.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill includes public commerce and sales-management features that are not clearly justified by the stated purpose of wallet provisioning and spending control. This creates a scope-creep risk: an agent or user may install a skill for controlled purchasing but unknowingly grant it capabilities to create public payment links, invoices, or storefronts.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill explicitly supports collection of buyer personal data such as names and emails, but provides no privacy notice, data-handling guidance, or minimization warning. In agentic contexts, this can lead operators to collect, transmit, or retain PII without informed disclosure or appropriate safeguards, creating compliance and privacy exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation repeatedly instructs use of a bearer API key but does not warn that this credential grants access to payment, invoice, sales, and shop-management functions. In an LLM/agent setting, omission of credential-handling precautions increases the chance of key leakage via prompts, logs, examples, or downstream tools, which could expose sensitive financial operations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Although the text says Crossmint places a real order, it does not provide a prominent warning near the capability introduction that invoking this API spends wallet funds and sends shipping address data to external services and merchants. For a purchasing skill, weak disclosure increases the chance of unintended real-world purchases and privacy-impacting data transmission under the guise of routine API use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to save a payment-related card artifact to local disk and later use it to decrypt real cardholder data, but it does not require explicit user consent, secure storage controls, file permission hardening, or a prominent warning about the sensitivity of the material. Even if the file is encrypted at rest, it is a durable local secret tied to payment capability; storing it on disk expands the attack surface through filesystem compromise, backup leakage, sync tooling, or accidental retention beyond the intended lifecycle.

External Transmission

Medium
Category
Data Exfiltration
Content
The sub-agent calls this endpoint to retrieve the one-time decryption key:

```bash
curl -X POST https://creditclaw.com/api/v1/bot/rail5/key \
  -H "Authorization: Bearer $CREDITCLAW_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "checkout_id": "r5chk_abc123" }'
Confidence
91% confidence
Finding
curl -X POST https://creditclaw.com/api/v1/bot/rail5/key \ -H "Authorization: Bearer $CREDITCLAW_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "checkout_id": "r5chk_abc123" }' ``` **Re

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal