Book a flight or Airbnb | Is your claw a nomad?

This skill appears to implement a payment/wallet integration (CreditClaw) and legitimately requires a CreditClaw API key — but there are several things to check before installing: - Clarify the metadata/title mismatch with the publisher; unexpected names can be a sign of mispackaging. - Only provide an API key you trust the service with; consider using a scoped or rotated key if possible and monitoring its use. - The docs instruct the agent to download files and to execute a decrypt script delivered with encrypted card files. Ensure your agent environment supports spawning true isolated sub-agents (so decrypted card data never touches the main agent). If sub-agent isolation is not available, avoid running the decrypt flow in the main agent. - Review any decrypt.js or other scripts delivered by creditclaw.com before executing them; executing code fetched from the network can be dangerous even when hosted on an expected domain. - If you install files under ~/.creditclaw, verify file permissions and consider isolating or sandboxing that directory. Remove or revoke local artifacts if you stop trusting the skill. - If you need higher assurance, ask the publisher for: a) explanation for the title/slug mismatch, b) a verifiable code release (e.g., GitHub release or package) for the decrypt script, and c) details about sub-agent isolation guarantees. Given these issues, proceed only if you trust creditclaw.com and can enforce the recommended isolation and monitoring practices.