Shop Car Insurance
v1.0.0Let your agent shop online with guardrailed wallets, multiple payment methods, and owner approval.
⭐ 0· 195·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (shopping with guardrailed wallets) match the declared API surface and required credential. All endpoints referenced are on creditclaw.com and correspond to the documented rails (prepaid wallet, self-hosted card, Stripe x402). No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md instructs the agent to call CreditClaw API endpoints, poll status, perform product lookups (including web searches for ASINs), and optionally save skill files locally via curl. These actions are within the expected scope for a shopping skill, but the skill also describes webhook callback_url usage (webhooks will deliver order/approval events to a URL you supply) and instructs the agent to search third‑party sites to find products — both of which expand the interaction surface and could expose order details to any externally configured callback URL or to sites the agent queries.
Install Mechanism
No install spec or packaged code — instruction-only. The SKILL.md shows optional curl commands to download its own docs into ~/.creditclaw/skills; that writes files to the user's home but is an obvious convenience step, not an opaque install of third-party code or binaries.
Credentials
Only a single required environment variable (CREDITCLAW_API_KEY) is declared and used consistently across the files. That credential is the expected primary secret for a payment/wallet integration. No additional unrelated secrets, system config paths, or excessive env requirements are requested.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide configuration changes. It recommends storing its documentation under ~/.creditclaw/skills if desired; otherwise it is instruction-only and does not demand permanent elevated presence.
Assessment
This skill appears coherent for letting an AI use a guarded shopping wallet, but take these practical precautions before installing:
- Only provide a CreditClaw API key if you trust creditclaw.com and the account owner; the API key can be used to make purchases under the owner's guardrails. Treat it like a payment credential.
- The SKILL.md supports registering a callback_url/webhook: if you or your owner configure a callback URL, that endpoint will receive purchase and shipping data (including shipping addresses). Ensure any webhook URL is trusted and secured.
- The agent is instructed to search external sites (e.g., amazon.com) to find ASINs; be aware this involves interactions with third-party sites and could surface product info to whatever systems the agent uses to browse/search.
- The file-saving curl examples will write files into ~/.creditclaw/skills; only run those commands if you trust the source and want local copies.
- Verify the legitimacy of creditclaw.com (owner, support, privacy/terms) before handing over funds or an API key; consider issuing a limited or monitored API key and enabling owner‑approval modes to reduce risk. Rotate the key and audit transactions if anything unexpected occurs.Like a lobster shell, security has layers — review code before you run it.
latestvk973tgfhhf8qtfs06xpeqwx16h82mqvp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvCREDITCLAW_API_KEY
Primary envCREDITCLAW_API_KEY