Security audit

Poe Connector

Security checks across malware telemetry and agentic risk

Overview

This Poe connector is mostly purpose-aligned, but it needs review because it can send prompts and chosen local files to Poe and auto-download model-returned URLs without tight safeguards.

Install only if you are comfortable routing selected prompts and any attached files to Poe. Avoid uploading secrets, private keys, confidential documents, or regulated data; use a dedicated Poe API key, protect the OpenClaw config file, and review generated media downloads before redistributing them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (14)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill clearly instructs the agent to execute a local shell script, read configuration and files, write generated media to disk, and communicate with an external service, yet it declares no permissions. This creates a transparency and policy-enforcement gap: users and the platform may not realize the skill can access local files and transmit data off-host to Poe, increasing the risk of unintended data exposure.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: This code expands the skill from merely accessing Poe models into automatically fetching arbitrary URLs returned by a model and producing downstream delivery instructions for another tool. Because model output is untrusted, this creates a cross-boundary action where remote content can be written to local disk and then encouraged for exfiltration or redistribution, increasing the risk of SSRF-style fetches, unsafe file handling, and unintended multi-tool chaining.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The Telegram-specific handoff hint is outside the declared purpose of a Poe connector and encourages the agent to pass generated or fetched media directly into another capability. This kind of hidden workflow coupling is dangerous because it enables unreviewed cross-tool actions and can turn model output into operational instructions for sending files or URLs to users.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The code reads the Poe API key from a host-wide file in ~/.openclaw/openclaw.json, which expands the skill's access beyond its own directory and creates hidden credential coupling to external state. While it appears intended for convenience rather than abuse, this broader credential access increases risk because the skill can consume sensitive host configuration not explicitly declared in the file itself.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README explicitly advertises sending prompts and attached files, including images, PDFs, audio, and video, to Poe's API but does not warn users that this transfers potentially sensitive data to a third-party service. In a connector skill whose purpose is remote model access, omission of a privacy/data-transmission notice increases the risk of accidental disclosure of confidential content.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README instructs users to place a live Poe API key into a local config file but does not warn that this credential is sensitive or recommend file-permission hygiene and exclusion from version control. That can lead to accidental exposure through backups, screenshots, shared home directories, or committing configuration files to repositories.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger list contains broad, natural-language phrases like 'poe', 'use poe', and 'ask poe' that may match ordinary user requests too eagerly. Over-broad activation can cause the wrong skill to run, leading to unexpected shell execution and unintended transmission of user prompts or attachments to a third-party service.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Although the notes mention that attachments are base64-encoded and sent to Poe, the skill lacks a prominent upfront warning that prompts and files are transmitted to a third-party external service. In context, this is more dangerous because the skill is designed for shell-based execution and media handling, so users may unknowingly disclose sensitive text or local files.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The examples explicitly encourage uploading local files such as images and PDFs to Poe-hosted models, but provide no warning that the files leave the local environment and are sent to a third-party service. In an agent skill context, this increases the chance that users or downstream agents will transmit sensitive documents or media without informed consent or data-handling review.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The setup instructions tell users to export an API key but do not warn against exposing it in shell history, screenshots, logs, shared terminals, or committed shell scripts. While this is common documentation, omission of basic secret-handling guidance can lead to credential leakage and unauthorized use of the Poe account.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script transmits user messages and any attached files directly to the Poe API, but this file contains no user-facing notice, confirmation, or consent check at the point of transmission. In a connector skill that encourages use of external AI services and supports arbitrary file uploads, this can lead to unintended disclosure of sensitive prompts, documents, images, audio, or video to a third-party provider.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill automatically downloads media from any URL found in model output and writes it to disk without confirmation. Since the model response is untrusted, this can cause unexpected network access, storage of malicious or oversized content, and local side effects the user did not request.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: encode_file() reads arbitrary local files, base64-encodes them, and build_file_messages() prepares them for transmission to the Poe API without any user-facing disclosure in this code path. This can cause unintended exfiltration of sensitive local data if a user supplies a sensitive path or if another part of the skill forwards files implicitly.

Shadow Command Trigger

Medium

Category: Trigger Abuse
Confidence: 85% confidence
Finding: The trigger phrase 'ask poe' overlaps with the common built-in verb 'ask', creating command-shadowing risk. This can cause users intending a generic ask action to invoke this skill instead, which is especially risky here because it may execute shell commands and forward content to Poe without the user realizing the routing changed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.