Shop from Microsoft - With your creditcard
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a real-money shopping/payment skill that is mostly disclosed, but its Microsoft-branded registry identity does not match the CreditClaw payment service and broad spending authority.
Review this carefully before installing because it can spend real money. Confirm whether this registry entry is actually from CreditClaw, not Microsoft, and only provide the API key after setting strict spending limits, owner approval rules, and clear instructions that the agent must confirm purchases with you first.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could install it believing it is Microsoft-specific or Microsoft-affiliated, while actually granting a third-party payment service authority to initiate purchases.
The registry branding suggests Microsoft, while the homepage and supplied files are for CreditClaw, a separate broad shopping/payment service. For a skill that can spend money, this mismatch is material.
Name: Shop from Microsoft - With your creditcard ... Slug: microsoft ... Homepage: https://creditclaw.com
Rename and describe the skill as CreditClaw, remove Microsoft branding unless it is truly affiliated or scoped to Microsoft, and verify the provider before adding the API key.
If the API key is exposed or used outside the intended CreditClaw API, another party could spend from the owner-funded wallet.
The skill explicitly uses a bearer API key that can authorize spending; this is purpose-aligned but financially sensitive.
All requests require: `Authorization: Bearer <your-api-key>` ... Your API key is your identity. Leaking it means someone else can spend your owner's money.
Only provide the API key to trusted agents, keep it scoped to creditclaw.com, set strict spending limits and approval requirements, and rotate the key if exposure is suspected.
The agent may be able to buy goods or services without a separate owner approval step if the purchase falls within configured allowances.
The documented API can trigger real-world financial transactions across many merchants, including auto-approved transactions within configured limits. This matches the skill purpose but is high-impact.
Use this rail for: Any online store — SaaS subscriptions, cloud hosting, domain registrations, digital services ... If the amount is within your auto-approved allowance, it processes immediately
Use low per-transaction and daily limits, keep ask-for-everything mode enabled until trusted, and require the agent to confirm exact merchant, item, and price with the user before submitting requests.
If allowed to run autonomously, the agent may periodically check financial status and prompt for wallet top-ups.
The skill suggests recurring agent activity around wallet status and top-up requests. It is disclosed and bounded, but users should be aware before enabling autonomous operation.
CreditClaw Heartbeat (suggested: every 30 minutes) ... Run this routine periodically ... If any rail balance is low (< $5.00): Ask your human if they'd like you to request a top-up
Only enable periodic heartbeat behavior if you want it, and ensure top-up requests require explicit human approval.
Users have less assurance that the registry entry is genuinely controlled by the CreditClaw provider.
The registry does not identify a verified source for a skill that requests a financial API key and can initiate purchases.
Source: unknown
Verify the skill through CreditClaw’s official website or support channel before installing and before setting CREDITCLAW_API_KEY.