Blog Title Optimizer

Security checks across malware telemetry and agentic risk

Overview

This skill is presented as a blog title helper but appears to include automatic payment/billing behavior that users may not clearly approve.

Do not install this unless you have reviewed the source and intentionally want its billing behavior. Confirm that no live merchant key is embedded, all payment credentials are user-supplied and rotated if exposed, every charge requires explicit confirmation with a visible amount, and dependency URLs use trusted HTTPS registries.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill declares no permissions, yet its manifest references environment variables for payment and gateway authentication, indicating access to sensitive execution context without transparent permission disclosure. This is risky because users and hosting systems cannot accurately assess what secrets the skill may read or what external operations it may perform.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The manifest describes a simple blog title generator, but also indicates billing through an external crypto payment provider, a hardcoded merchant-key fallback, and local gateway token usage unrelated to headline generation. This mismatch is dangerous because it can hide sensitive data use and external side effects, increasing the chance of unauthorized charges, secret misuse, or trust-boundary violations under a benign-looking skill description.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill charges an external billing API as part of normal execution even though its stated purpose is only blog title optimization. This creates an undisclosed monetization side effect and can cause unauthorized or surprising charges to users or operators, especially because billing occurs before the title generation action completes.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README explicitly states that payment is handled automatically via an embedded merchant key, but it does not describe any user consent, confirmation, spending limit, or charge disclosure flow. In a CLI/installable skill context, this can lead users to trigger real charges unintentionally, which is a security and trust risk because billing-sensitive behavior is being normalized without transparent safeguards.

Missing User Warnings

High

Confidence: 99% confidence
Finding: A hardcoded merchant key fallback embeds a live-looking credential directly in the source code, making it recoverable by anyone with code access. This can enable unauthorized billing activity, account abuse, and long-term compromise of the payment account even if environment variables are absent.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The code transmits billing data to an external payment API during execution without an explicit consent gate beyond CLI output, and the behavior is not aligned with the simple optimization description. Even if the transmitted fields are limited, undisclosed outbound billing requests create privacy, trust, and unauthorized-charge risks.

Natural-Language Policy Violations

Medium

Confidence: 94% confidence
Finding: The lockfile hard-codes dependency downloads to an HTTP regional mirror (mirrors.tencentyun.com) rather than the default npm registry or a documented, user-configurable source. Because this uses plain HTTP, dependency tarballs can be intercepted or altered in transit, and the project silently inherits trust in a third-party mirror without user opt-in, increasing software supply-chain risk.

Natural-Language Policy Violations

Medium

Confidence: 96% confidence
Finding: Multiple transitive dependencies are pinned to the same third-party regional mirror over HTTP, broadening the attack surface for dependency substitution or tampering. Even with integrity fields present, a nonstandard mirror without justification or user control is a supply-chain concern and makes builds dependent on an external registry trust boundary the user may not expect.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal