clawcard

SUSPICIOUS: The skill is internally consistent with its stated purpose, but that purpose is itself high impact. It grants autonomous messaging, financial spending, card retrieval, and hosted secret storage, while instructing the agent to read a local API key file and send sensitive data to a third-party platform. This is not clearly malicious, but it is a high-risk skill that should require strong user approval and tight operational controls.