Shop from Apple - With your creditcard

Security checks across malware telemetry and agentic risk

Overview

This skill is a real-money shopping and payments wallet with disclosed guardrails, but its broad autonomous spending, payment-link, and x402 payment-signing powers need review before installation.

Install only if you intentionally want to give an agent real financial authority through CreditClaw. Keep ask-for-everything approval enabled at first, use low limits and merchant/domain allowlists, avoid enabling payment links, self-hosted cards, Sub-Agent Cards, or x402 unless needed, and protect API keys, webhook secrets, shipping data, tracking data, and X-PAYMENT headers from logs or prompts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill markets itself primarily as an owner-guardrailed shopping/payment capability, but it also exposes functionality to generate third-party payment links and receive funds from arbitrary payers. That materially expands the trust and abuse surface into payment collection/merchant behavior, which is not clearly reflected in the manifest description and could cause operators to enable a capability set broader than expected.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The manifest emphasizes shopping with owner approval, but the skill also includes x402 signing and agent-to-agent/on-chain payment capability. Cryptographic payment signing for on-chain settlement is a meaningfully different and higher-risk financial action than ordinary merchant checkout, so under-describing it can lead to unsafe enablement decisions.

Description-Behavior Mismatch

Low

Confidence: 82% confidence
Finding: The API reference exposes a 'Sub-Agent Card' rail that is not described elsewhere in the manifest. Hidden or undocumented payment rails reduce transparency for reviewers and users, making it harder to assess the full financial authority granted by the skill.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs the agent to submit a full real-world shipping address as part of a purchase flow, but it does not explicitly warn that this personal data will be transmitted to CreditClaw and Amazon to fulfill the order. This creates a privacy and data-handling risk because an agent or user may disclose sensitive PII without clear notice, informed consent, or guidance on minimizing unnecessary address exposure.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The tracking and webhook sections describe receiving shipment status, tracking numbers, and delivery details, but they do not caution that these are sensitive order-activity data that can reveal purchasing behavior and physical delivery information. If exposed through logs, callbacks, or casual disclosure, this data could enable privacy violations or social engineering around deliveries.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The documentation instructs agents to send a bearer API key together with a full shipping address to a third-party service, but it does not include any explicit privacy, consent, or data-handling warning. In an agent-skill context, this increases the risk of unnecessary disclosure of sensitive personal data and accidental use of real credentials or addresses without clear user awareness.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The document instructs an agent how to initiate purchases against a linked payment card but does not explicitly warn that these requests can trigger real financial charges, including immediate auto-approved transactions within configured allowance. In an agent-skill context, this omission materially increases the risk of unintended or unauthorized spending because an operator may treat the workflow as a simulation or low-risk API action.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: **You must follow these rules:** - If `approval_mode` is `ask_for_everything`, ask your human before any purchase to get their approval. **New accounts default to this mode.** Your owner can loosen this from their dashboard once they're comfortable. - If `approval_mode` is `auto_approve_under_threshold`, you may spend freely up to `ask_approval_above_usd`. Anything above that requires owner approval. - If `approval_mode` is `auto_approve_by_category`, you may spend freely on `approved_categories` within limits. All others require approval. - **Never** spend on `blocked_categories`. These are hard blocks enforced server-side and will be declined. - Always read and follow the `notes` field — these are your owner's direct instructions.
Confidence: 90% confidence
Finding: auto_approve

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: **You must follow these rules:** - If `approval_mode` is `ask_for_everything`, ask your human before any purchase to get their approval. **New accounts default to this mode.** Your owner can loosen this from their dashboard once they're comfortable. - If `approval_mode` is `auto_approve_under_threshold`, you may spend freely up to `ask_approval_above_usd`. Anything above that requires owner approval. - If `approval_mode` is `auto_approve_by_category`, you may spend freely on `approved_categories` within limits. All others require approval. - **Never** spend on `blocked_categories`. These are hard blocks enforced server-side and will be declined. - Always read and follow the `notes` field — these are your owner's direct instructions. - Cache this for up to 30 minutes. Do not fetch before every micro-purchase.
Confidence: 90% confidence
Finding: auto_approve

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal