ClawHub

Shopping Claw | Is your claw a shopaholic?

Security checks across malware telemetry and agentic risk

Overview

This is a high-impact payment automation skill that is mostly disclosed, but it is broader than its Shopify-facing presentation and gives agents raw payment, checkout, webhook, and sales-management authority.

Install only if you intentionally want an agent to spend money through CreditClaw across many merchants, handle sensitive payment data, and manage related sales/webhook settings. Use a dedicated low-limit wallet/card, keep approval_mode as ask_for_everything, restrict merchant/domain permissions, avoid storing raw card data in prompts or logs, and review callback_url changes before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (39)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The guide explicitly describes a full browser-based checkout flow that includes obtaining approval, decrypting card data, filling merchant payment forms, and submitting purchases on external sites. That materially exceeds a narrow 'Shopify tryout' scope and enables generalized payment execution across arbitrary merchants, increasing the chance of unauthorized purchasing and abuse.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This section instructs the agent to decrypt payment card details and map PAN, expiration, CVV, name, and billing data directly into checkout fields. Giving an automation skill the ability to recover and use full cardholder data for arbitrary web forms creates a direct card misuse path and significantly heightens PCI/security risk, even if the text says not to persist the data.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This management document exposes account-management capabilities for transaction history, profile changes, and webhook reconfiguration that are not aligned with the skill's declared purpose of shopping on Shopify. Scope drift like this is dangerous because it can let a shopping-oriented skill access or alter bot identity and callback infrastructure, increasing the chance of hidden persistence, rerouting, or unauthorized account changes.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Allowing a shopping skill to update bot profile fields and especially the callback_url enables reconfiguration of where sensitive events or payment-related webhooks are delivered. An attacker or compromised agent could redirect callbacks to infrastructure they control, harvest secrets or event data, and disrupt or hijack future bot operations.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file describes itself as the single decision point for merchant detection, routing, and vendor discovery, which materially broadens scope beyond a Shopify-only buying skill. In a shopping agent context, this turns a narrowly declared capability into a general-purpose procurement router, increasing the chance of unintended merchant access and misuse of checkout automation across unrelated platforms.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The vendor-skill lookup API enables external merchant enumeration and capability discovery that is not necessary for a Shopify-specific purchase assistant. This creates an unnecessary discovery surface that could be used to map supported merchants and route agents into broader automated checkout flows than users expect from the skill description.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The platform-detection script fingerprints multiple ecommerce systems including Amazon, WooCommerce, Squarespace, BigCommerce, Wix, and Magento, which exceeds the declared Shopify use case. In context, this equips the agent to identify and adapt to many storefronts, making the skill effectively cross-platform shopping automation rather than a limited Shopify helper.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The routing table sends users into complete non-Shopify guides for Amazon, WooCommerce, Squarespace, BigCommerce, Wix, Magento, and generic flows. That mismatch between declared purpose and actual routing materially expands operational scope and makes it easier for an agent to perform checkout actions on arbitrary merchants under the guise of a Shopify skill.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The payment-form handling covers generic inline card fields, Stripe Elements, Braintree, Adyen, Shopify iframes, and multi-step flows, enabling broad checkout adaptation well beyond Shopify. In a purchasing skill, generalized payment-form recognition increases the risk of the agent interacting with live payment UIs on many merchants, including those outside user expectations.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The Vendor Discovery API exposes search and filtering over merchant catalogs, capabilities, maturity, and checkout methods, which is broader than a narrowly described Shopify purchase flow. While lower impact than direct checkout automation, it still expands reconnaissance and routing capabilities that can support unintended commerce automation across many vendors.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest markets the skill as Shopify shopping, but the file defines a much broader financial platform that can register bots, store credentials, manage spending, poll messages, and transact across multiple rails and merchants. This scope mismatch can mislead users and host platforms about the true capabilities being granted, increasing the risk of over-permissioned deployment and unsafe invocation.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill claims to support Shopify shopping, but bundled files add unrelated high-risk capabilities including selling, profile management, webhook configuration, and broader wallet operations. Hidden or under-disclosed functionality is dangerous in payment-related skills because operators may enable it expecting only a narrow checkout helper while actually exposing account-management and commerce features.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The procurement endpoints allow merchant discovery and retrieval of arbitrary vendor checkout skills, which materially expands the trust boundary beyond Shopify. This creates a capability escalation path where a seemingly narrow shopping skill can ingest and act on external checkout instructions from many merchants, increasing exposure to prompt-injection, unsafe workflows, and unauthorized purchasing contexts.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The file metadata and description position this as a Shopify shopping skill, but the content explicitly enables arbitrary-merchant checkout via CreditClaw and Stripe-backed card usage. This scope mismatch is dangerous because it can bypass user expectations, platform review boundaries, and least-privilege assumptions by granting a much broader purchasing capability than advertised.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documented ability to spawn autonomous sub-agents that inherit the parent agent's credentials materially expands the skill's authority beyond ordinary shopping assistance. Inherited credentials plus autonomous execution create a privilege-propagation risk where a spawned agent can perform sensitive API actions and purchases with limited direct oversight.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
This guide goes beyond benign storefront navigation and provides end-to-end instructions for completing purchases, including checkout submission and payment handling. In the context of an agent skill, that materially expands capability into autonomous transaction execution, creating risk of unauthorized purchases, policy bypass, and misuse of user financial data.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The manifest materially differs from the stated skill context: instead of a Shopify-only buying skill, it exposes a broader CreditClaw financial-management capability with spending power across multiple commerce platforms. This scope mismatch can mislead reviewers and users about what the skill can do, increasing the risk of overbroad authorization, unsafe installation, or unintended financial actions.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file claims to be a WooCommerce merchant guide while the skill metadata describes Shopify shopping, creating a scope and platform mismatch. In a payment-capable shopping skill, this can cause the agent to operate on unintended sites or flows, weakening safety boundaries and increasing the chance of misrouting purchases or handling payment data in the wrong context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly documents collection and transmission of recipient and buyer personal data such as names and email addresses, but provides no user-facing privacy notice, data handling guidance, retention limits, or consent requirements. In a payment/invoicing skill, this creates privacy and compliance risk because an agent may collect and send PII to a third-party service without informing the end user or constraining use.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide instructs the agent to navigate live stores, add items to cart, proceed to checkout, and inspect payment forms without an explicit warning, consent checkpoint, or safeguard against initiating real purchases. In this context, the skill is directly adjacent to transactional actions, so missing guardrails can lead to unauthorized cart modifications, checkout progression, and accidental financial impact on real merchant accounts.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The phrase 'You can shop anywhere' is overly broad for a payment-enabled skill and encourages unconstrained use outside the apparent Shopify scope. In the context of a system that can register wallets, retrieve merchant skills, and make purchases, this wording materially increases the chance of misuse and user misunderstanding about where and when the skill may act.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The registration flow tells the agent to collect owner_email, obtain an API key, and persist it, but it does not require an explicit user warning or consent before collecting owner-identifying data and provisioning long-lived payment credentials. In a financial context, silently initiating registration and secret storage can create privacy, consent, and account-linking risks even if the backend later enforces spending controls.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to select a saved payment method and click Amazon's final order submission control, but it does not clearly require an explicit user confirmation immediately before the irreversible purchase action. In a shopping automation context, this omission is dangerous because a mistaken interpretation, prompt injection, or navigation error could cause a real financial transaction on the user's Amazon account.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill gives explicit instructions for entering decrypted payment-card data and CVV into checkout fields, including Stripe iframe handling, without any user-facing warning, consent guardrail, or restriction on handling highly sensitive financial data. In the context of a shopping/payment automation skill, this omission is especially dangerous because it normalizes direct collection and use of cardholder data and could enable unsafe processing of PCI-regulated information, credential misuse, or unauthorized purchases.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This guide explicitly instructs an agent to enter decrypted payment card numbers and CVV into checkout forms, but provides no warning, consent boundary, or handling restrictions for highly sensitive financial data. In the context of a universal shopping skill that can be used across arbitrary merchants, this materially increases the risk of unauthorized card use, unsafe secrets exposure in logs or snapshots, and non-compliant payment-data handling.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal