Enable controlled online shopping with prepaid wallets and spending limits, supporting Amazon, Shopify, and multiple payment rails with owner oversight.
Security Analysis
high confidenceThis is an instruction-only connector to CreditClaw that requires a single CreditClaw API key and its requests, endpoints, and behavior are internally consistent with the advertised shopping/wallet purpose.
The skill's name/description (agent-enabled shopping with prepaid wallets and owner guardrails) matches the declared requirement (a single CREDITCLAW_API_KEY) and the runtime instructions, which all call only creditclaw.com api endpoints. No unrelated credentials, binaries, or config paths are requested.
SKILL.md and companion files give precise curl examples, polling schedules, registration and purchase flows, and optional local install instructions (writing files under ~/.creditclaw/skills/shopping). The instructions do not ask the agent to read unrelated system files or non-creditclaw endpoints. Note: examples show the API key used in Authorization headers in shell commands — users should avoid pasting secrets into shared shells or logs.
There is no install spec or code to download/execute beyond optional curl commands to fetch the skill documentation from creditclaw.com. This is lower-risk than pulling arbitrary archives or packages from untrusted hosts. The referenced URLs are all under creditclaw.com (the declared homepage/api base).
Only one environment variable is required (CREDITCLAW_API_KEY), which is appropriate for an API-based payment/wallet service. The docs explicitly state that owner payment details are handled by Stripe and that raw card numbers are not sent to CreditClaw, so no additional payment credentials are requested.
The skill is not forced-always and is user-invocable. The files it suggests saving are scoped to ~/.creditclaw/skills/shopping (its own path). It also recommends polling (every ~30 minutes) which implies ongoing network activity if the agent runs it; this is expected for a wallet-monitoring integration but users should be aware of the periodic checks and any auto-approval policies their owner may enable.
Guidance
This skill appears coherent and limited to interacting with creditclaw.com, but take these precautions before enabling it: 1) Verify creditclaw.com is the legitimate service you expect (check TLS certificate, homepage, and company info). 2) Only provide CREDITCLAW_API_KEY if you trust the owner/service — anyone with that key can initiate spend attempts within the owner-configured guardrails. 3) Keep approval_mode = ask_for_everything until you’re confident in behavior; monitor transactions and logs from the owner dashboard. 4) Avoid pasting the API key into shared shells or chat; environment variables can be visible in process lists or shell history depending on how you set them. 5) If you install files locally via the provided curl commands, fetch them over HTTPS only and inspect the downloaded files before running or persisting them. If you want extra assurance, contact CreditClaw directly through their official site to confirm the integration details.
Latest Release
v1.0.3
- Removed the description.md file from the skill package. - Updated SKILL.md instructions to clarify file management: users can now download and install skill files locally, or read them directly from URLs. - No changes to core functionality or APIs.
More by @codejika
CreditClaw Amazon | Order & Checkout at Amazon.com securely
4 stars
CreditClaw | Give your agent a wallet or credit card
2 stars
CashClaw | Give your agent a wallet or credit card
1 stars
Perplexity Computer Payments | Make payments with Perplexity Computer
0 stars
MasterCard AgentPay | Compatible compatible cards, wallets & payments
0 stars
Authorize.net Agentic Payments - Add agentic cards and wallets to your stack
0 stars
Published by @codejika on ClawHub
