ClawHub

Complete US Tax Returns - With your creditcard

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real CreditClaw payments skill, but its Amazon-shopping framing does not match the broad spending, card-handling, payment-collection, invoicing, and public storefront authority it documents.

Install only if you intend to give an agent broad CreditClaw payments authority, not just Amazon shopping. Use ask-for-everything approval, avoid auto-spend and seller/invoice features unless explicitly needed, keep the API key in a secrets manager, verify all payment recipients and domains, and avoid the encrypted-card rail unless checkout can run in an isolated no-log environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (17)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill metadata says this is an Amazon shopping capability with guardrailed wallets and owner approval, but the file instead documents broad merchant/payment features: public checkout pages, invoices, payment links, webhooks, and storefront publishing. This scope expansion materially increases what an agent can do with the provided credentials and enables money collection and public commerce workflows unrelated to the advertised purpose, which can bypass user expectations and policy controls.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Public seller-profile and storefront publishing are unrelated to buying items on Amazon and allow an agent to create a public commercial presence, expose product listings, and publish externally accessible content. In the context of an Amazon shopping skill, this is especially dangerous because operators may grant access expecting constrained purchasing behavior, not public monetization or brand impersonation risk.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Invoice creation and outbound invoice email delivery let the agent contact third parties, request payment, and generate externally visible financial records. That is outside the stated Amazon shopping purpose and could be abused for spam, social engineering, unauthorized billing, or accidental disclosure of customer data and business details.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Payment-link generation enables direct collection of funds from third parties through Stripe checkout URLs, which is not justified by an Amazon shopping workflow. Even if rate-limited, this could be used to solicit payments, send unauthorized charges, or create fraudulent-looking payment requests under the operator's account.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This document expands the skill's apparent purchasing scope from Amazon-only to Shopify and arbitrary URL merchants, creating a capability mismatch between the published skill identity and the documented behavior. That mismatch can mislead users, reviewers, or agents into enabling broader real-world purchasing than expected, weakening trust and guardrail assumptions.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The purchase flow is documented as a generic merchant-routing wallet that places real orders on a user's behalf, not a narrowly scoped Amazon skill. In a purchasing skill, undocumented broad transaction capability increases the risk of policy bypass, reviewer misunderstanding, and unintended spending at merchants outside the expected trust boundary.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill is presented as an Amazon shopping integration, but the document materially expands scope into generic wallet management, payment rails, top-ups, invoices, checkout pages, and seller operations. This creates a capability mismatch that can mislead users and downstream agents into granting broader financial authority than the declared purpose justifies.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The inclusion of payment-collection and seller capabilities is outside the stated scope of 'shop on Amazon' and materially increases financial risk. An agent enabled for purchasing could also be induced to create payment links, invoices, or storefronts, expanding exposure from spending to funds movement and commerce operations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The file documents collection and transmission of buyer personal data such as name and email without any privacy notice, consent guidance, retention limits, or disclosure warning. In an agent skill, this raises the risk that operators unknowingly process PII and expose it to external services or logs without appropriate safeguards.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Sending invoices by email and triggering webhook-based fulfillment are external and potentially irreversible actions, yet the skill provides no warning about third-party disclosure, downstream automation, or accidental fulfillment. This is risky because an agent could email customers or provision goods/services based on incomplete verification or misrouted payments.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The example instructs transmission of sensitive personal and transactional data, including full shipping address, product details, and authorization credentials, for a real purchase flow without an explicit warning about privacy, billing, and real-world consequences. In a wallet-enabled shopping skill, omission of those warnings increases the chance of users or downstream agents sending sensitive data or placing unintended orders without informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to save a self-contained encrypted payment card file to local disk, but it does not require secure storage controls such as restricted permissions, dedicated secret storage, encrypted-at-rest handling, or explicit lifecycle deletion. Even though the card is encrypted, the file contains the ciphertext and decryption script, and the workflow later retrieves the one-time key separately; compromise of the agent host, workspace, logs, backups, or synced files could expose highly sensitive payment material and enable misuse once a key is obtained during checkout.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The file explains how an agent can obtain payment signatures and spend USDC on-chain, but it does not include a clear, prominent warning that these actions can move real funds and incur irreversible charges. In an agent-skill context, that omission increases the risk that developers or operators enable automated spending without fully understanding the financial consequences.

External Transmission

Medium
Category
Data Exfiltration
Content
The sub-agent calls this endpoint to retrieve the one-time decryption key:

```bash
curl -X POST https://creditclaw.com/api/v1/bot/rail5/key \
  -H "Authorization: Bearer $CREDITCLAW_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "checkout_id": "r5chk_abc123" }'
Confidence
89% confidence
Finding
curl -X POST https://creditclaw.com/api/v1/bot/rail5/key \ -H "Authorization: Bearer $CREDITCLAW_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "checkout_id": "r5chk_abc123" }' ``` **Re

External Transmission

Medium
Category
Data Exfiltration
Content
### Fetch Pending Messages

```bash
curl https://creditclaw.com/api/v1/bot/messages \
  -H "Authorization: Bearer $CREDITCLAW_API_KEY"
```
Confidence
84% confidence
Finding
curl https://creditclaw.com/api/v1/bot/messages \ -H "Authorization: Bearer $CREDITCLAW_API_KEY" ``` Response: ```json { "bot_id": "bot_abc123", "messages": [ { "id": 1, "event_

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
**You must follow these rules:**
- If `approval_mode` is `ask_for_everything`, ask your human before any purchase to get their approval. **New accounts default to this mode.** Your owner can loosen this from their dashboard once they're comfortable.
- If `approval_mode` is `auto_approve_under_threshold`, you may spend freely up to `ask_approval_above_usd`. Anything above that requires owner approval.
- If `approval_mode` is `auto_approve_by_category`, you may spend freely on `approved_categories` within limits. All others require approval.
- **Never** spend on `blocked_categories`. These are hard blocks enforced server-side and will be declined.
- Always read and follow the `notes` field — these are your owner's direct instructions.
Confidence
86% confidence
Finding
auto_approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
**You must follow these rules:**
- If `approval_mode` is `ask_for_everything`, ask your human before any purchase to get their approval. **New accounts default to this mode.** Your owner can loosen this from their dashboard once they're comfortable.
- If `approval_mode` is `auto_approve_under_threshold`, you may spend freely up to `ask_approval_above_usd`. Anything above that requires owner approval.
- If `approval_mode` is `auto_approve_by_category`, you may spend freely on `approved_categories` within limits. All others require approval.
- **Never** spend on `blocked_categories`. These are hard blocks enforced server-side and will be declined.
- Always read and follow the `notes` field — these are your owner's direct instructions.
- Cache this for up to 30 minutes. Do not fetch before every micro-purchase.
Confidence
86% confidence
Finding
auto_approve

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal