Back to skill

Security audit

Lemonsqueezy Admin

Security checks across malware telemetry and agentic risk

Overview

This skill is a simple Lemon Squeezy admin helper that clearly requires an API key and shows read-oriented store commands, with customer data handling as the main caution.

Install only if you trust the ls-admin CLI available in your environment. Use the least-privileged Lemon Squeezy API key available, avoid sharing terminal output or screenshots that include customer emails or revenue data, and rotate the key if it is exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The example output includes a customer's email address in a command-line listing of orders, which exposes personally identifiable information without any warning, masking, or stated access-control expectations. In an admin tool this may be functionally relevant, but embedding raw customer identifiers in examples normalizes unnecessary PII exposure and increases the chance of disclosure via shared terminals, logs, screenshots, or copied documentation.

VirusTotal

39/39 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.