Financial enablement & accounting platform for Bots, Agents, and OpenClaw. Multiple methods for enabling and managing agentic spending and purchases, with co...
Security Analysis
high confidenceThis skill is internally consistent with a wallet/payment integration: it only requests a single CREDITCLAW_API_KEY and its runtime instructions match that purpose; no unrelated credentials, installs, or file accesses are requested.
Name/description match the requested resources and behavior. The skill is a payment/wallet integration and only requires CREDITCLAW_API_KEY for API calls to creditclaw.com. No unrelated binaries, config paths, or extra credentials are requested.
SKILL.md instructs the agent to call CreditClaw API endpoints (register, check wallet, polling, purchase endpoints) and to show claim tokens to a human. It does not instruct reading unrelated system files or other environment variables. The only minor mismatch: the doc includes a registration flow where the agent can obtain an apiKey itself, while the package metadata also lists CREDITCLAW_API_KEY as a required env var — both are reasonable modes (owner-provisioned key vs agent-obtained key).
Instruction-only skill with no install spec and no code written to disk. This is the lowest-risk install mechanism.
Only a single credential (CREDITCLAW_API_KEY) is required and it is directly relevant to the stated purpose. SKILL.md enforces that keys only be sent to creditclaw.com. No other secret env vars are requested.
always:false (not force-included) and autonomous invocation is enabled (default). That is expected for a skill meant to act on behalf of agents, but because this skill enables spending, operators should be aware that allowing autonomous agent actions plus an enabled wallet (when owner approval is permissive) can lead to real financial operations. The skill itself does not request elevated system privileges or cross-skill config changes.
Guidance
This skill appears to do what it says, but here are practical precautions before installing: (1) Only provide a CreditClaw API key you intend the agent to use; follow the SKILL.md warning and never paste the key to other domains. (2) Decide whether the agent should be allowed to act autonomously with spending power—if not, disable autonomous invocation or ensure the owner config uses a strict approval_mode (ask_for_everything). (3) Consider using an owner-provisioned key with limited scope or a test/staging account and rotate keys regularly. (4) Verify the homepage/api_base domain (creditclaw.com) and monitor owner dashboard logs for unexpected transactions. (5) The documentation allows the agent to self-register and obtain a key; ensure that workflow fits your security model (you may prefer the owner to provision the key instead).
Latest Release
v2.0.4
- Added an explicit metadata block declaring required environment variables for OpenClaw compatibility. - No changes to skill functionality or APIs. All existing instructions and flows remain unchanged. - Skill version updated from 2.0.2 to 2.0.4.
More by @codejika
CreditClaw Amazon | Order & Checkout at Amazon.com securely
4 stars
ShopClaw | Give your claw shopping tasks with strict controls
4 stars
CashClaw | Give your agent a wallet or credit card
1 stars
Perplexity Computer Payments | Make payments with Perplexity Computer
0 stars
MasterCard AgentPay | Compatible compatible cards, wallets & payments
0 stars
Authorize.net Agentic Payments - Add agentic cards and wallets to your stack
0 stars
Published by @codejika on ClawHub
