ClawHub

Shop from Microsoft - With your creditcard

Security checks across malware telemetry and agentic risk

Overview

This is a real-money payment skill whose docs mostly disclose the behavior, but its public framing understates broad spending, payment-link, and on-chain payment powers.

Review this as a live financial integration, not just a shopping helper. Install only if you trust CreditClaw, verify the Microsoft/CreditClaw naming mismatch, keep CREDITCLAW_API_KEY in a secret manager, start with ask-for-everything approval, set low per-transaction and daily limits, and enable payment links, auto-approval, top-ups, x402, or agent-to-agent payments only if you explicitly want those capabilities.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill's manifest and top-level description present it as a shopping/payment-card tool with owner guardrails, but it also exposes a generic payment collection flow that can charge third parties. That capability materially expands the trust boundary and operational use cases beyond what a user may reasonably infer from the manifest, increasing the risk of deceptive invocation or unintended enablement.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The manifest frames the skill as online shopping with owner approval, but later documentation adds agent-to-agent/x402 and on-chain settlement features. These are materially different financial behaviors with distinct risks, so under-disclosure can cause users or orchestration systems to grant a broader financial capability than intended.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
A generic 'charge anyone' payment-link feature is not naturally implied by a shopping-focused credit-card skill and can be repurposed for billing, fraud, or social-engineering workflows. Even if the backend is legitimate, bundling this broad collection capability into a shopping skill creates unnecessary privilege expansion and weakens least-privilege expectations.

Description-Behavior Mismatch

Low
Confidence
70% confidence
Finding
The API reference mentions a 'Sub-Agent Card' rail that is not described elsewhere in the manifest or narrative, indicating hidden or insufficiently documented capability surface. Undeclared financial rails reduce transparency and can prevent users from accurately assessing what powers the skill may exercise.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The description explicitly advertises autonomous online purchasing and payment capabilities, but it does not clearly warn users that enabling the skill can trigger real spending, charges, and account-affecting transactions. In a commerce/payment skill, omission of an upfront spending-risk warning increases the chance that users authorize the skill without understanding the financial consequences or needed approval controls.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The heartbeat routine instructs the agent to automatically issue a POST top-up request when balance is low, then merely inform the human afterward. That is a state-changing external action on a financial account, and the wording does not require prior user confirmation or make the side effect explicit before execution, creating a risk of unauthorized funding requests and confusing consent boundaries.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide describes how to obtain payment signatures and retry requests with an X-PAYMENT header, but it does not explicitly warn that this action authorizes real on-chain USDC spending from the owner's wallet. In an agent-payment skill, that omission materially increases the chance of unintended financial transactions because users or downstream agents may treat the flow as a routine API retry rather than a spend authorization.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal