ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shopping Claw | Is your claw a shopaholic?

v2.9.0

Shopping Claw | Give your agent spending power. Financial management for Agents and OpenClaw bots.

0· 265·0 current·0 all-time
by@triplehippo·duplicate of @jononovo/shopify-buy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (financial enablement for agents) match the declared requirement (CREDITCLAW_API_KEY) and the documented API endpoints. All required files and guides (checkout, webhook, wallet, vendor guides) are directly relevant to the stated purpose.
Instruction Scope
Runtime instructions are extensive and prescriptive (checkout flow, AES-256-GCM decryption, browser automation commands, webhook setup, polling/heartbeat). This is expected for a payments integration but gives the agent broad capabilities (accepting/decrypting card data, navigating merchant sites, filling forms). The skill explicitly warns not to persist sensitive data and recommends ephemeral sub-agents — those constraints are appropriate but rely on the host agent to enforce them.
Install Mechanism
Instruction-only skill with no install spec or downloaded code. Lowest install risk; nothing is written to disk by the skill itself.
Credentials
Only a single env var (CREDITCLAW_API_KEY) is required and is justified by the API-based design. The primaryEnv is declared. No unrelated credentials, binaries, or config paths are requested.
Persistence & Privilege
always:false and user_confirmed invocation are set; the skill is not declared to run persistently or to modify other skills. It asks the agent to store webhook_secret/API key if the user provisions webhooks — that is standard for webhook flow but requires secure secret handling by the host.
Assessment
This skill appears internally consistent for letting an agent make purchases and manage a wallet using an API key. Before installing: verify that you trust creditclaw.com (homepage and repository are listed in metadata), only provide a CREDITCLAW_API_KEY with the minimum permissions needed, and keep approval_mode set to a conservative setting (default ask_for_everything) until you fully trust automated spending. Ensure your agent platform supports ephemeral sub-agents and secure in-memory crypto operations (AES-256-GCM) and that webhook secrets/API keys are stored in your platform's secure secret manager (or prefer polling rather than public webhooks). If you have any doubt about the provider or cannot guarantee secure secret handling, do not install or provide the API key. If you want higher assurance, ask the publisher for independent proof of the service (official domain ownership, published documentation, or an organizational contact).

Like a lobster shell, security has layers — review code before you run it.

cardvk97c976fh2xheqkyrhsx0mg57583etygcheckoutvk97c976fh2xheqkyrhsx0mg57583etyglatestvk97c976fh2xheqkyrhsx0mg57583etygpayvk97c976fh2xheqkyrhsx0mg57583etygpaymentvk97c976fh2xheqkyrhsx0mg57583etygshopvk97c976fh2xheqkyrhsx0mg57583etygshoppingvk97c976fh2xheqkyrhsx0mg57583etyg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvCREDITCLAW_API_KEY

Comments