Skillv1.0.5

ClawScan security

AMEX | Give your Agent your CreditCard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 12:41 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's described purpose (agent-managed payments) matches the requested API key and documented endpoints, but the runtime instructions ask the agent to download and store files and permit decrypting real card data in the main agent context if sub-agents aren't available — a risky scope expansion that isn't fully justified in metadata.
Guidance: This skill appears to be a genuine agent-facing payments integration, but it asks the agent to download files and handle encrypted card files locally. Before installing or enabling it: 1) Only provide your CREDITCLAW_API_KEY if you trust creditclaw.com and you understand the financial risk. 2) Require the platform to support ephemeral sub-agents (or disallow the fallback) so decrypted card details never appear in the main agent's context. 3) If you download the skill files, inspect them manually before saving/executing; prefer a read-only review rather than executing any provided scripts. 4) Restrict filesystem permissions on .creditclaw and .creditclaw/cards and avoid storing unencrypted card data. 5) Confirm the service's legitimacy (company/site, contact/support) and consider testing in a sandbox account with minimal funds first. If you want, I can list the exact lines that allow main-agent decryption and the curl/save commands for you to review or to create a safe policy to block that behavior.

Review Dimensions

Purpose & Capability: okName/description, API base, and the single required env var (CREDITCLAW_API_KEY) align with a payment/wallet service. The documented endpoints and companion files (checkout, wallet, encrypted-card, stripe-x402) are coherent with a shopping/payment skill.
Instruction Scope: concernThe SKILL.md and companion files instruct the agent to curl skill files from creditclaw.com into ~/.creditclaw and to save encrypted card files to .creditclaw/cards. The encrypted-card flow recommends spawning ephemeral sub-agents to decrypt card data (good), but explicitly allows the main agent to run the decrypt steps if sub-agents aren't supported — this would expose decrypted card data to the main agent. The docs also show concrete shell commands (curl, node decrypt.js, sessions_spawn) even though the skill's declared requirements list no required binaries. Writing and decrypting sensitive payment data in the main agent context is a notable scope/privilege expansion.
Install Mechanism: noteThere is no formal install spec (instruction-only), which minimizes automatic code execution risk. However the SKILL.md includes curl commands that download multiple remote files from https://creditclaw.com and writes them to user paths. The URLs are on the declared domain (creditclaw.com) — consistent with the skill's purpose — but downloading remote content and saving it locally increases risk if you don't inspect the files first.
Credentials: okOnly CREDITCLAW_API_KEY is required and used for API Authorization in examples. That is appropriate and proportionate for a payment integration; no unrelated credentials are requested.
Persistence & Privilege: notealways:false and no install means the skill is not force-included. The instructions do advise persistent storage of encrypted card files and skill docs under ~/.creditclaw and .creditclaw/cards, which is necessary functionally but does create sensitive data on disk. The sub-agent pattern is recommended to limit exposure, but the allowed fallback to main-agent decryption increases persistent-exposure risk.