Shop from Nvidia - With your claw and creditcard
v1.0.0Buy at Nvidia | Manage compatible cards, wallets & payments. Financial management for Agents and OpenClaw bots.
⭐ 0· 172·0 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The description and API docs consistently describe a payment/wallet platform (CreditClaw) for agent spending, encrypted-card checkout, and x402/USDC signing. The single required environment variable (CREDITCLAW_API_KEY) is appropriate for that purpose. Minor inconsistency: the skill name/title references 'Nvidia' specifically, but nothing in the files requires Nvidia-specific credentials or endpoints; the content is generic CreditClaw functionality. This could be a labeling/packaging issue rather than malicious intent.
Instruction Scope
SKILL.md and companion documents instruct the agent to call only creditclaw.com API endpoints and to read the provided companion files. There are explicit, repeated warnings about keeping the API key private and not persisting decrypted card data. The only high-sensitivity runtime action the instructions require is performing AES-256-GCM decryption of owner-supplied card details in memory for a single checkout — this is coherent with the stated purpose (making purchases) but increases the risk surface if the agent or environment logs or leaks memory.
Install Mechanism
Instruction-only skill with no install spec and no code files to execute locally. This minimizes risk from arbitrary third-party downloads or on-disk executables.
Credentials
The skill requires a single credential (CREDITCLAW_API_KEY), declared as the primary credential and used for Authorization headers in all API calls — proportionate for a payment service integration. No unrelated secrets, system paths, or additional environment variables are requested.
Persistence & Privilege
The skill does not request permanent presence (always is false) and does not include scripts that modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not combined with other elevated privileges.
Assessment
This skill appears internally consistent for giving an agent controlled spending ability via CreditClaw. Before installing, consider: 1) Confirm the name/branding mismatch — the manifest and docs reference creditclaw.com; verify you intended to install CreditClaw and not an Nvidia-specific integration. 2) Treat CREDITCLAW_API_KEY as a sensitive secret: provide a dedicated, limited-scope API key for bots (rotate/revoke if needed) and never share it with other services. 3) The agent will be instructed to decrypt owner card details in memory for checkouts — ensure your agent runtime does not log or transmit memory contents and that decrypted card data cannot be persisted or exfiltrated. 4) Keep approval_mode conservative (e.g., ask_for_everything) until you trust automated behavior; prefer manual approvals for purchases. 5) Verify creditclaw.com (TLS certificate, reputation) and webhook callback URLs in your environment. 6) Monitor the bot's transaction logs and webhook notifications and be ready to freeze the wallet or revoke the API key if you see unexpected activity. If you see additional required env vars, an install script that downloads code, or explicit instructions to send the API key to domains other than creditclaw.com, treat the skill as suspicious and do not proceed.Like a lobster shell, security has layers — review code before you run it.
cardvk97cq4gfg0tfcx25yxgrgbbeh982te8wlatestvk97cq4gfg0tfcx25yxgrgbbeh982te8wnvidiavk97cq4gfg0tfcx25yxgrgbbeh982te8wpaymentsvk97cq4gfg0tfcx25yxgrgbbeh982te8w
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvCREDITCLAW_API_KEY
Primary envCREDITCLAW_API_KEY