clawcard

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill clearly ingests and acts on untrusted third-party web content — e.g., reference/checkout.md instructs using launch_browser + snapshot/fill to navigate arbitrary checkout URLs and fill/submit forms, and reference/catalog-scrape.md and reference/catalog-research.md include scrape-url, crawl-site, web-search, and deep-research that fetch and return public webpage/social content which the agent is expected to read and use to drive tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's MCP setup explicitly instructs fetching and running remote code via npx (e.g., "clawcard mcp add -e CLAWCARD_API_KEY= clawcard-browser -- npx @clawcard/browser" and the mcporter config with "command":"npx","args":["@clawcard/browser"]), which will download and execute external package code at runtime and is required for the browser checkout MCP functionality.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly provides commands and tooling to move money and perform purchases. Examples: clawcard agent pay <slug> '<json>' to pay for capabilities (deducts from account balance), clawcard agent info shows balance, virtual card management (clawcard agent cards create --amount <cents> --type merchant_locked), and a browser-checkout flow with fill_checkout that fills payment fields and completes purchases. The catalog is full of paid capabilities and every call deducts from balance. These are specific payment/checkout/virtual-card APIs (not generic browser or HTTP tools) intended to execute financial transactions.