Back to skill

Security audit

Shopping Claw | Is your claw a shopaholic?

Security checks across malware telemetry and agentic risk

Overview

The skill is openly designed for agent shopping and payments, but it gives agents high-impact spending authority and raw card-handling workflows that users should review carefully.

Install only if you intentionally want this agent to spend money through CreditClaw. Configure strict per-transaction limits, domain allowlists, and ask-for-everything approval; keep CREDITCLAW_API_KEY in a secrets manager; avoid unknown merchant checkouts; and verify invoices, public shop changes, and final order details before allowing the agent to proceed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The guide explicitly instructs the agent to decrypt card details and use them to complete third-party payment forms in a browser. Giving an automated agent access to full PAN/CVV and directing it to enter those credentials on arbitrary merchant sites materially increases the risk of payment credential misuse, interception via malicious checkout pages, and unauthorized purchases, even though the document warns not to persist the data.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The browser automation section grants broad capability to navigate pages, detect platforms, interact with iframes, and submit payment forms across sites. In the context of a payment skill, this expands the attack surface substantially: a compromised or deceptive merchant page could manipulate the agent into entering sensitive card data into unintended fields or exfiltration flows, and the guidance does not impose strict domain validation or field-level safety checks.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The file metadata describes a generic fallback shopping guide with universal browser-control behavior, while the overall skill is presented as a payment/financial-management capability. In a spending-enabled agent context, this mismatch increases the risk that the agent may invoke overly broad, weakly constrained purchase flows on arbitrary sites, leading to unintended transactions, poor guardrails, or misuse outside the intended payment scope.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The invoice workflow instructs the agent to send invoices by email, including recipient identity data and a PDF attachment, but does not warn that this transmits customer data to an external email system. In a payment skill, omission of consent/privacy guidance can lead agents to disclose personal and billing information to third parties without user awareness or an explicit approval step.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The sales API and webhook examples include buyer_email/payer_email fields, normalizing collection and downstream handling of personal data without any privacy notice, minimization guidance, or caution about logging. In a commerce skill, exposing email fields without guardrails increases the chance that agents will store, display, or forward buyer PII inappropriately.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The checkout section gives operational instructions for progressing through payment and form-filling without an explicit required confirmation or warning immediately before purchase-affecting actions. In a payment skill, this omission is risky because an agent may continue from cart to checkout and potentially submit payment with insufficient user awareness, increasing the chance of unintended purchases or financially harmful automation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill gives step-by-step instructions for entering decrypted card numbers, CVV values, and submitting checkout flows without any explicit user-consent checkpoint or warning that these actions handle highly sensitive payment data and may place a real order. In a payment-enablement skill, that omission is especially dangerous because an agent could proceed from browsing into irreversible financial transactions without a clear authorization boundary, increasing the risk of unauthorized purchases and exposure of cardholder data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide explicitly instructs an agent to enter decrypted payment card numbers and CVV values into browser fields, which means highly sensitive financial data is being handled in plaintext during automation. In a payment skill, this may be functionally necessary, but the absence of strong guardrails, data-handling constraints, masking, redaction, scope limits, or explicit user-consent/security warnings makes misuse, logging exposure, prompt leakage, or unauthorized checkout materially more likely.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This guide provides concrete instructions for entering decrypted payment-card data and CVV into checkout flows, including iframe-specific handling, but it does not include any explicit warning about sensitive financial data handling, consent, storage prohibitions, or PCI-compliant boundaries. In a payment-enablement skill, that omission increases the likelihood that downstream agents or integrators will collect, expose, or mishandle cardholder data during automation, especially because the instructions normalize direct PAN/CVV entry as a routine action.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly recommends using a one-click purchase path ("Buy it now") to proceed directly toward checkout, but it does not require an explicit user confirmation or present any warning before initiating a financially consequential action. In a payment-enabling skill, this materially increases the risk of unauthorized purchases, accidental spending, or abuse by downstream prompts or compromised agents.

Missing User Warnings

High
Confidence
99% confidence
Finding
This section gives detailed operational instructions for entering shipping data, card number, expiry, CVV, and submitting payment, yet provides no user-facing privacy warning, consent checkpoint, or safeguards around handling highly sensitive financial data. Because the skill is specifically designed to give agents spending power, the context makes this more dangerous: it enables end-to-end purchase completion and payment entry with minimal friction, amplifying the chance of credential misuse, unauthorized charges, and exposure of payment data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill contains operational instructions for handling raw payment card data, including decrypted card number and CVV entry into Stripe iframes, without any visible consent, warning, minimization, or secure-handling guidance. In a payment automation skill, this is especially dangerous because it normalizes agent access to highly sensitive PCI data and could enable unauthorized collection, misuse, or insecure processing of cardholder data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide explicitly instructs an agent to fill billing, shipping, and payment fields, but provides no guardrails around consent, minimization, redaction, or safe handling of highly sensitive personal and card data. In a payment-enablement skill, this omission materially increases the chance that downstream agents will automate collection and entry of PCI/payment data in unsafe contexts or without clear user authorization.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs an agent to enter decrypted payment card number and CVV into Stripe Elements, but provides no warning, consent boundary, data-minimization guidance, or restrictions on when handling sensitive cardholder data is permitted. In an agentic payment skill, this is especially dangerous because it operationalizes direct exposure of highly sensitive financial data to the agent runtime and logs, increasing the risk of PCI scope expansion, accidental retention, exfiltration, or misuse.

External Transmission

Medium
Category
Data Exfiltration
Content
## Step 2: Get Decryption Key

```bash
curl -X POST https://creditclaw.com/api/v1/bot/rail5/key \
  -H "Authorization: Bearer $CREDITCLAW_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "checkout_id": "r5chk_abc123" }'
Confidence
87% confidence
Finding
curl -X POST https://creditclaw.com/api/v1/bot/rail5/key \ -H "Authorization: Bearer $CREDITCLAW_API_KEY" \ -H "Content-Type: application/json" \ -d

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.