Security audit

MasterCard | Is your claw a shopaholic?

Security checks across malware telemetry and agentic risk

Overview

This payment skill is mostly coherent and disclosed, but it gives agents high-impact spending authority and asks them to run remotely delivered decryption code for card data.

Install only if you trust CreditClaw with agentic spending and can enforce strict controls. Keep owner approval enabled, restrict access to CREDITCLAW_API_KEY, avoid the encrypted-card rail unless sub-agent isolation and log redaction are available, review any delivered decrypt script before running it, store card files outside repositories/backups with restrictive permissions, and confirm buyer, invoice, and shipping data before sending it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (8)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The manifest markets the skill as a shopping/payment tool, but the file also exposes seller monetization features such as payment links, invoices, storefronts, and public shops. This scope mismatch can mislead users and agents into granting trust and permissions under a narrower expectation than the skill actually requires, increasing the chance of unintended financial or data exposure.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill includes monetization and storefront management capabilities that are broader than the stated purpose of letting an agent shop with guardrails. Hidden or under-disclosed financial features increase attack surface and can enable unexpected money movement, public exposure of commerce endpoints, or user confusion about what the skill is authorized to do.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The API reference documents broad seller operations—payment links, checkout pages, invoices, sales, and seller profiles—despite the manifest presenting the skill as a shopping aid. This under-disclosure is dangerous because it obscures that the skill can expose public commerce surfaces and handle inbound payments, materially expanding financial and reputational risk.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill documents collecting buyer name/email and transmitting payment-related personal data, but it gives no privacy notice, consent expectations, retention guidance, or warning that data is shared with external processors. In an agent context, this can cause operators to unknowingly collect and process PII in ways that violate user expectations, policy, or regulatory requirements.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The invoice flow instructs agents to send invoices and emails to recipient addresses without warning that this triggers external email delivery or that the recipient should have consented to receive such messages. This creates risk of spam, unauthorized disclosure of billing details, and unintended transmission of personal data to third-party mail systems.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The webhook example includes buyer_email and encourages downstream fulfillment integrations, but does not warn that this propagates buyer PII into external systems. In practice this can lead to over-sharing personal data across services, logs, automations, and vendors that are not necessary for fulfillment.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The document describes a purchase flow that can place real orders and share shipping address data with external infrastructure, but it does not present an explicit warning at the point of use. In an agent skill context, this omission increases the risk of unintended purchases or privacy-impacting data disclosure because users or downstream agents may treat the example as a harmless simulation rather than a live transaction.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs the agent to make authenticated periodic requests to an external service using a bearer token, which necessarily transmits wallet/account metadata off-platform. In a payments skill this may be operationally necessary, but the lack of explicit warning, consent language, data-minimization guidance, or trust-boundary disclosure makes it a real security/privacy issue because the agent may poll and expose sensitive financial state more broadly than the user expects.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.