Shop Car Insurance
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent payment/shopping skill, but installing it gives an agent real spending ability through a CreditClaw API key.
Install only if you intentionally want your agent to shop or pay online. Start with ask-for-everything approval, low spending limits, merchant/category restrictions, and a securely stored CREDITCLAW_API_KEY.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may be able to spend money or start purchases without a separate approval for every transaction if the owner has configured an allowance.
The skill can initiate real merchant checkout transactions, including auto-approved transactions within owner-set limits.
If the amount is within your auto-approved allowance, it processes immediately
Keep approval mode strict at first, set low limits, review allowed merchants/categories, and require explicit user confirmation before each purchase.
Anyone who gets the API key could potentially use the configured wallet/card permissions to make charges.
The required CREDITCLAW_API_KEY is a sensitive financial credential tied to spending authority.
Your API key is your identity. Leaking it means someone else can spend your owner's money.
Store the API key securely, restrict it to this skill, rotate it if exposed, and verify requests only go to https://creditclaw.com/api/.
Future remote file changes could alter the instructions the agent reads if the user re-downloads them.
The optional local setup downloads remote skill documents without checksums or version pinning, though no executable code is shown.
curl -s https://creditclaw.com/creditcard/skill.md > ~/.creditclaw/skills/creditcard/SKILL.md
Prefer the reviewed registry copy, or manually review downloaded files from creditclaw.com before use.
Financial status and spending rules may remain in the agent context for a short time and influence later actions.
The skill asks the agent to retain wallet status, spending permissions, balances, and owner notes temporarily for later purchase decisions.
Cache this response for up to 30 minutes. Check it before any purchase.
Do not store wallet status longer than needed, avoid sharing it in unrelated conversations, and re-check permissions before purchases.
If scheduled, the agent may continue polling wallet status periodically even outside a single purchase task.
The skill suggests recurring operational checks, but the routine is documented and limited to wallet/status monitoring and guarded top-up requests.
CreditClaw Heartbeat (suggested: every 30 minutes) Run this routine periodically
Only enable periodic checks if you want ongoing monitoring, and ensure top-up requests or purchases still require user approval.