AceToolz Word Counter

Security checks across malware telemetry and agentic risk

Overview

This word-count skill appears functional, but it uploads the full text being counted to an external AceToolz API without a clear consent step.

Install only if users understand that text analyzed by this skill may be sent to AceToolz. Avoid using it for secrets, private documents, regulated data, or proprietary material unless the publisher adds explicit upload disclosure, consent, and privacy/retention details.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to send the user's full text to a third-party API, but it provides no privacy notice, consent step, or guidance about handling sensitive content. This creates a real data-exfiltration risk because users may supply confidential, personal, or proprietary text expecting local analysis, while the skill silently transmits it off-platform.

External Transmission

Medium

Category: Data Exfiltration
Content: macOS / Linux (curl): ```bash curl -s -X POST https://www.acetoolz.com/api/openclaw/word-counter \ -H "Content-Type: application/json" \ -d '{"text": "<the full text to analyse>"}' ```
Confidence: 97% confidence
Finding: curl -s -X POST https://www.acetoolz.com/api/openclaw/word-counter \ -H "Content-Type: application/json" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal