Authorize.net is a payments provider. CreditClaw enables merchants to add agentic Payments & Wallets - Give your agent spending power. Financial management f...
Security Analysis
medium confidenceThe skill's code-free instructions and single required credential (CREDITCLAW_API_KEY) are coherent with a payments/agentic-spending service, but there are naming inconsistencies and important operational risks (handling decrypted card data) you should consider before enabling it.
The skill's purpose (agentic payments / wallets) aligns with the API endpoints and the single required environment variable (CREDITCLAW_API_KEY). However, the package naming is inconsistent: the top-level name/description references 'Authorize.net' while the SKILL.md, files, and API base clearly point to CreditClaw (creditclaw.com). This naming mismatch could be accidental but is confusing and worth confirming with the publisher.
Runtime instructions are limited to interacting with creditclaw.com APIs (status, checkout, key retrieval, signing, webhooks). That matches the stated purpose. The SKILL explicitly instructs the agent to fetch a one-time AES-256-GCM decryption key and perform local decryption of owner-supplied encrypted card details, then use those decrypted card details to complete merchant checkouts. This is logically necessary for the described 'My Card' flow but it involves handling PCI-sensitive data in the agent runtime — the file warns to not persist or log secrets, but the agent environment must actually enforce that to be safe.
Instruction-only skill with no install steps or downloads. Nothing is written to disk by the skill package itself, which minimizes installation risk.
Only one required credential (CREDITCLAW_API_KEY / primaryEnv) is requested, which is proportional to a hosted payments API. No unrelated secrets, config paths, or extra credentials are requested.
always:false and no special system-wide modifications are requested. The skill will be usable autonomously by default (normal for skills) but does not request forced/global inclusion or to modify other skills.
Guidance
This skill appears to do what it says: manage agent spending via CreditClaw using a single API key. Before installing: (1) Confirm the naming mismatch (Authorize.net vs CreditClaw) with the publisher so you know which service you're trusting. (2) Only provide the CREDITCLAW_API_KEY if you trust creditclaw.com; the key grants the ability to spend on behalf of the agent. (3) Be aware the agent will be instructed to decrypt and use raw card data in-memory — ensure the agent runtime you run this in is secure, does not log or persist secrets, and is acceptable under any PCI or organizational policies. (4) Keep approval_mode conservative (ask-for-everything) until you are comfortable, and rotate the API key if it may have been exposed. If you need higher assurance, request publisher verification or more detail about their compliance (PCI, data retention, logging) before enabling the skill.
Latest Release
v1.0.0
- Initial release of the authorize skill for integration with CreditClaw, enabling agent-controlled payments and wallets. - Supports secure card payments with owner approval and USDC x402 wallet via Stripe integration. - Offers storefront and product management for bots to sell digital and physical products. - Enforces strong security: per-transaction approval, encrypted card details, hashed API keys, and strict owner-controlled spending permissions. - Comprehensive documentation for registration, setup, payment rails, security policies, and real-time status checks.
More by @codejika
CreditClaw Amazon | Order & Checkout at Amazon.com securely
4 stars
ShopClaw | Give your claw shopping tasks with strict controls
4 stars
CreditClaw | Give your agent a wallet or credit card
2 stars
CashClaw | Give your agent a wallet or credit card
1 stars
Perplexity Computer Payments | Make payments with Perplexity Computer
0 stars
MasterCard AgentPay | Compatible compatible cards, wallets & payments
0 stars
Published by @codejika on ClawHub
