Email Subject Generator

Security checks across malware telemetry and agentic risk

Overview

This skill appears to generate email subject lines as advertised, with disclosed pay-per-use billing and local OpenClaw agent use.

Install only if you are comfortable with automatic 0.001 USDT SkillPay billing on normal runs, use --test when you do not want a charge, avoid exposing a SKILLPAY_MERCHANT_KEY unless intended, and treat the HTTP mirror lockfile entries as a dependency-provenance issue to verify before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 85% confidence
Finding: The skill declares access to environment variables such as payment and gateway tokens, but does not declare corresponding permissions or clearly disclose that sensitive configuration may be consumed. Hidden or undocumented env access weakens transparency and makes it harder for users to assess what secrets the skill may read or use at runtime. In a monetized skill, that ambiguity is more concerning because payment credentials and auth tokens are involved.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The skill is presented as a simple email subject generator, but the metadata also indicates billing, merchant-key usage, and payment-gated access. That mismatch is dangerous because users may invoke the skill expecting only local text generation while unknowingly triggering monetization logic or sending data to external payment infrastructure. The presence of an 'embedded key used by default' further increases risk by obscuring financial behavior and trust boundaries.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The skill’s advertised function is generating email subject lines, but it also performs a live charge to an external billing service before completing the core action. This is dangerous because it creates an undisclosed financial side effect unrelated to content generation and could cause unauthorized or unexpected charges, especially if users run the tool without fully understanding the payment behavior.

Context-Inappropriate Capability

High

Confidence: 88% confidence
Finding: The skill spawns an external binary (`openclaw`) to process user-controlled content, introducing execution of an out-of-process agent that is not necessary for a simple subject-line generator. While `spawn` is used with argument separation rather than shell interpolation, this still expands the trust boundary, may execute unreviewed code or agent behavior, and can expose user input to another executable without clear disclosure.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README states that payment is handled automatically via an embedded merchant key and offers a '--test' flag, but it does not clearly warn users that normal use may trigger real charges. In a CLI skill, this can lead to unexpected paid actions, especially if users assume generation is free unless they explicitly opt in to billing.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation references a payment merchant key and a local API fallback token, but does not warn that prompts, metadata, or credentials may be transmitted to external services. For a marketing-content skill, users may paste campaign details, product plans, or customer-related text; absent disclosure, that creates privacy and secret-handling risk. Even if the gateway is local, the payment flow and fallback architecture introduce external-service trust assumptions that should be explicit.

Missing User Warnings

High

Confidence: 99% confidence
Finding: A hardcoded fallback merchant key is embedded directly in the source and used automatically when the environment variable is absent. This is dangerous because secrets in code can be extracted, reused, or abused by anyone with access to the package, leading to fraudulent charges, account misuse, or billing impersonation.

Natural-Language Policy Violations

Low

Confidence: 97% confidence
Finding: The lockfile resolves packages from plain HTTP region-specific mirror URLs, which removes transport-layer authentication and integrity protection for the package download itself. Although npm lockfiles include integrity hashes, using unauthenticated mirrors still increases supply-chain risk through interception, mirror tampering, metadata substitution, or operational dependence on an unreviewed third-party registry path.

Natural-Language Policy Violations

Low

Confidence: 95% confidence
Finding: Additional dependencies are also pinned to a region-specific HTTP mirror, broadening the software supply-chain trust boundary beyond the default npm registry without any documented justification. In an agent skill context, this is more concerning because compromise of dependency delivery can directly affect code executed by the skill at install or runtime.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal