Lemonsqueezy Admin

Security checks across malware telemetry and agentic risk

Overview

This is a simple Lemon Squeezy admin helper that discloses its API key requirement and only shows read-oriented store commands, though users should treat displayed customer data as sensitive.

Install only if you trust the `ls-admin` CLI that will execute these commands. Use the least-privileged Lemon Squeezy API key available, avoid sharing command output that contains customer emails or revenue data, and rotate the key if it is exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill documentation shows customer order output containing a full email address, which normalizes exposing personally identifiable information in terminal output without any warning about privacy, access control, or safe handling. In an admin-focused skill, this increases the chance that operators will disclose customer data in shared terminals, logs, screenshots, or shell history, causing unnecessary privacy exposure.

VirusTotal

39/39 vendors flagged this skill as clean.

View on VirusTotal