Twitter Content Generator

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does Twitter/X content generation, but its billing flow is inconsistent and can make real payment calls with an embedded merchant key.

Install only if you are comfortable with a pay-per-use tool that contacts SkillPay before generation. Check which merchant key/account is being used, avoid running `npm test` with real payment credentials, and prefer waiting for the publisher to remove the embedded key, add explicit charge confirmation, align the documentation, and fix the package-lock provenance issues.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill declares no permissions, yet its documented behavior relies on environment variables such as payment and gateway tokens. That creates a transparency and consent problem: users may invoke what appears to be a simple content-generation skill without realizing it accesses sensitive local secrets. In this context, undeclared env access is risky because merchant keys and gateway tokens can enable billing actions or authenticated API use.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The skill is presented as a Twitter/X content generator, but its behavior also includes payment processing, use of a merchant key from the environment or an embedded default key, and gating normal functionality on payment success. This mismatch is dangerous because users may not expect external billing flows or embedded credentials in a content tool, increasing the chance of unauthorized charges, secret misuse, and trust-boundary violations. The skill context makes this more concerning, not less, because payment handling is unrelated to the core content-generation purpose and is not prominently disclosed as operational behavior.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill's stated purpose is Twitter/X content generation, but its main flow also performs a billing transaction before generating output. This expands the trust boundary and can cause users to authorize or trigger financial operations that are not clearly necessary for the advertised capability, especially given the embedded fallback key elsewhere in the file.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: Payment-processing capability is not intrinsic to generating tweet text and is invoked automatically in normal execution. In this context, hidden or bundled billing behavior is risky because users may run a content tool without expecting it to initiate external financial transactions.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The comments tell users the skill requires their own SkillPay merchant key, but the configuration silently falls back to a hardcoded key. This deception can route charges through an embedded account without informed consent, creating strong risk of unauthorized monetization or fraud.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README states that payment is handled automatically using an embedded merchant key and explicitly says no setup is required, but it does not clearly warn users when charges occur, how consent is obtained, or what transaction behavior to expect. In a CLI skill that users may install and run directly, this creates a meaningful risk of unexpected paid actions and reduces informed consent around financial operations.

Missing User Warnings

High

Confidence: 99% confidence
Finding: An embedded merchant key is present in code and is used for live payment processing without a clear, point-of-charge warning. This enables the skill to initiate financial transactions against a predefined account, which is especially dangerous because users are told elsewhere that their own key is required.

Natural-Language Policy Violations

Medium

Confidence: 97% confidence
Finding: The natural-language setup instructions claim one security/payment model, while the code implements a contradictory fallback to a built-in key. This mismatch is dangerous because it misleads users and reviewers about where money flows and undermines informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal