Back to skill

Security audit

Prospairrow Websites MCP

Security checks across malware telemetry and agentic risk

Overview

The skill is not malicious, but it needs review because it handles live Prospairrow credentials and some supposedly read-only scoring actions can still make account-affecting POST calls.

Install only if you are comfortable letting a local agent use your Prospairrow account and prospect data. Prefer read-only mode unless you need mutations, treat get_icp_score/get_company_score as potentially state-changing or quota-affecting despite their labels, keep API keys out of shell history, avoid custom WEBSITES_MCP_DIR values, and enable diagnostics or saved browser sessions only on trusted machines.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Scope Creep

High
Confidence
85% confidence
Finding
Tasks like apollo_enrich, enrich_prospects, and potentially generate/update-oriented operations suggest modification or persistence of prospect records, which conflicts with a READ_ONLY declaration. Even if enrichment sometimes only fetches data, the naming and sales-pipeline context imply data updates that could bypass expected restrictions or mislead security controls.

Scope Creep

Medium
Confidence
85% confidence
Finding
Tasks like apollo_enrich, enrich_prospects, and potentially generate/update-oriented operations suggest modification or persistence of prospect records, which conflicts with a READ_ONLY declaration. Even if enrichment sometimes only fetches data, the naming and sales-pipeline context imply data updates that could bypass expected restrictions or mislead security controls.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code resolves the Prospairrow API key not only from explicit task input, but also from process environment variables and a local user config file under ~/.openclaw/openclaw.json. That broadens the trust boundary and can cause the skill to silently use credentials the user did not intend to expose to this task, creating credential sourcing and least-privilege violations.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The bootstrapLogin flow launches a headed browser, asks the operator to log in manually, then persists the resulting browser storage state to disk for later reuse. Persistent session capture materially increases the sensitivity of the skill because stolen or reused storage state can grant authenticated access without re-entering credentials, and this behavior is not reflected in the described skill purpose.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The file implements unrestricted Playwright browser automation that simply opens an arbitrary public website, which does not align with the declared Prospairrow-specific lead-enrichment purpose. In an agent skill, generic browsing code expands the capability surface beyond the stated function and could be repurposed to access unrelated sites, scrape data, or interact with web content without clear justification.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The presence of generic web-browsing capability in a skill advertised as providing direct access to Prospairrow introduces unnecessary privilege and weakens the trust boundary of the integration. Even though the current code only visits example.com, the capability itself is broader than the stated business need, making the skill more dangerous in context because users would not expect open-ended browsing behavior.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document exposes multiple WRITE-capable tasks such as add_prospects, enrich_prospects, and apollo_enrich, but it does not prominently warn that invoking them can create or modify remote records and potentially trigger paid or irreversible operations. In an agent-skill context, this increases the chance that an autonomous agent will execute state-changing actions based on examples alone, causing unintended data mutation or external side effects.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation guidance says to use the skill when the user asks to run Prospairrow actions through MCP/API, which is broad enough that an agent could activate the skill on loosely related sales, prospecting, enrichment, or content-generation requests. In a skill that can perform WRITE actions and use API credentials, overly broad triggering raises the chance of unnecessary external data disclosure, unintended writes, or surprising use of privileged integrations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installation instructions tell users to pass the API key directly in shell commands and environment variables without any warning about shell history, process inspection, or secure secret storage. This can expose the key to local logs, terminal history, screenshots, or other users on the same system, especially in shared or developer workstation environments.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly instructs operators to start a read/write-enabled runtime using a live API key, but it provides no warning that this mode can modify remote data or trigger state-changing actions. In an agent skill context, normalizing write-enabled startup as the default operational path increases the risk of accidental or unauthorized changes, especially if users or downstream agents do not appreciate the difference between read-only and write modes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example shows a bearer-authenticated task invocation with no warning about data sensitivity, side effects, or downstream processing of prospect/company data. In a lead-generation skill that handles enriched firmographics, tech stacks, and contacts, this can encourage users or agents to run authenticated actions without understanding privacy, compliance, or operational impact.

Missing User Warnings

Low
Confidence
75% confidence
Finding
The function persistently logs arbitrary invocation payloads to disk without any filtering, minimization, or redaction. In a lead-generation and enrichment skill, payloads may contain prospect data, API-derived company information, credentials, or other sensitive business data, so local log files can become a secondary data-exposure surface if accessed by other users, processes, backups, or support tooling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This path reads sensitive API keys from environment variables and user config without any user-facing warning, confirmation, or runtime disclosure. Silent secret consumption makes it easy for an agent or operator to trigger authenticated actions with unintended credentials, reducing transparency and increasing the chance of misuse.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code conditionally captures a full-page screenshot and stores it under a predictable local artifacts directory, which can include sensitive CRM/app data such as prospect lists, contact details, and account information visible in the browser session. In this skill context, the application handles lead generation and company/contact enrichment, so diagnostics may persist regulated or proprietary business data to disk where it can be retained, accessed by other processes, or unintentionally exfiltrated through logs/artifact collection.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/sites/prospairrow/tasks/_api.ts:60