中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:20 hr ago Rescan
20 /100
clawcredit
Credit line service for AI agents to access x402 services without upfront payment
This is a legitimate credit-line service skill for x402 payments with documented behavior for credential storage, network API calls, and agent context collection. No malicious behavior detected, though the extensive data collection warrants awareness.
Skill Nameclawcredit
Duration33.1s
Enginepi
Safe to install
Review the Privacy Policy before registration. Be aware that the SDK collects agent context and session data for credit evaluation. Monitor for any unexpected outbound connections.

Findings 3 items

Severity Finding Location
Low
Extensive agent context collection Doc Mismatch
The SDK collects session transcripts, all .md prompt files, and agent runtime context for credit evaluation. This is documented but represents significant data access.
SDK automatically collects agent context for credit evaluation
→ Users should be aware that session data and prompts are uploaded to ClawCredit servers for creditworthiness evaluation
 SKILL.md:1
Low
Credential file stored in agent home directory Sensitive Access
API tokens are stored in ~/.openclaw/agents/<agent>/agent/clawcredit.json. While documented, this is a non-standard credential location.
Credentials are auto-saved to ~/.openclaw/agents/<agent>/agent/clawcredit.json
→ Verify file permissions on the credentials file (chmod 600)
 SKILL.md:1
Low
Continuous heartbeat data submissions Data Exfil
Heartbeat mechanism submits context every 6 hours without per-check user consent, though initial privacy consent was obtained during registration.
submitPrequalificationContext() - uploads latest agent context for pre-qualification evaluation
→ Understand that ongoing behavioral monitoring occurs during pre-qualification phase
 SKILL.md:1
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned ~/.openclaw/agents/<agent>/agent/clawcredit.json for credentials
Network READ READ ✓ Aligned HTTPS API calls to claw.credit domains
Environment NONE NONE No direct environment variable access
6 findings
🔗
Medium External URL 外部 URL
https://www.claw.credit/X402_PARTNER_SERVICES_REGISTRY.md
SKILL.md:4
🔗
Medium External URL 外部 URL
https://www.claw.credit/privacy
SKILL.md:16
🔗
Medium External URL 外部 URL
https://www.claw.credit/dashboard
SKILL.md:338
🔗
Medium External URL 外部 URL
https://mesh.heurist.xyz/x402/...
SKILL.md:346
🔗
Medium External URL 外部 URL
https://mesh.heurist.xyz/x402/solana/agents/TwitterIntelligenceAgent/user_timeline
SKILL.md:358
🔗
Medium External URL 外部 URL
https://merchant.example/x402/api/tool
SKILL.md:438

File Tree

1 files · 44.7 KB · 1099 lines
Markdown 1f · 1099L
└─ 📝 SKILL.md Markdown 1099L · 44.7 KB

Security Positives

✓ No obfuscated code (no base64, eval, or hidden instructions)
✓ All capabilities clearly documented in SKILL.md
✓ Uses HTTPS for all API communications
✓ Credential storage is documented and follows a predictable pattern
✓ No direct shell execution or command injection vectors
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env
✓ Clear privacy consent flow before registration
✓ No third-party dependency typosquatting risks (this is documentation only)