ClawHub

RevenueCat

Security checks across malware telemetry and agentic risk

Overview

This RevenueCat skill is a disclosed API/documentation helper that uses a RevenueCat API key, with no hidden persistence or automatic destructive behavior found.

Install only if you are comfortable giving the agent RevenueCat API access. Use the least-privileged or read-only key available, avoid exposing broad customer data unless needed, and require explicit human confirmation before using any referenced POST, DELETE, refund, cancel, webhook, product, entitlement, offering, project, or balance-changing operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (34)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is presented as analytics, customer-data, and documentation search, but its referenced API surface includes destructive and administrative operations such as CRUD, refunds, cancellations, API keys, integrations, and virtual currencies. That mismatch can cause an agent or user to invoke high-risk write actions under the assumption that the skill is read-oriented, increasing the chance of unauthorized changes or financial impact.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata says it should be used for RevenueCat metrics, customer data, and documentation search, but this reference file exposes many mutation and administrative endpoints such as customer deletion, entitlement grants, transfers, balance updates, and block-list management. That scope expansion materially increases the chance an agent could perform destructive or privilege-changing actions when a user only intended analytics or lookup behavior.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file documents broad configuration-management and mutating entitlement endpoints, including create, update, attach/detach products, and delete, even though the skill is described as focused on analytics, customer data, and documentation search. This creates a scope mismatch that could cause an agent or integrator to expose privileged administrative actions through a skill users would reasonably expect to be read-oriented, increasing the risk of unauthorized or unintended changes.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Administrative entitlement mutation capabilities are not justified by a skill positioned for subscription analytics, customer data, and docs search. In this context, exposing creation, modification, product attachment changes, and deletion makes the skill materially more dangerous because a user or prompt injection could pivot from information retrieval into live billing/entitlement reconfiguration.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill is described as analytics, customer data, and documentation search, but this file documents write-capable webhook administration endpoints including create, update, and delete. That expands the operational scope into configuration management and destructive actions, increasing the chance an agent could be induced to modify integrations or exfiltrate events to an attacker-controlled webhook URL.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Webhook integration administration is context-inappropriate for a skill positioned as read-oriented analytics and documentation lookup. In this context, exposing administrative integration operations makes prompt misuse more plausible because users and higher-level agents may assume the skill is non-destructive while it can actually reconfigure outbound data flows.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The documented skill surface includes creation, update, attachment, detachment, and deletion endpoints for offerings and packages, which goes beyond the declared purpose of metrics, customer data, and documentation search. This scope mismatch is dangerous because an agent or user expecting read-only analytics/docs behavior could be induced to perform live subscription-configuration changes or destructive actions in production.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Administrative subscription configuration operations are exposed even though the skill is presented as analytics/customer-data/docs functionality. In context, this makes accidental misuse and privilege overreach more likely, enabling unauthorized changes to offerings, packages, and product associations that can affect pricing presentation and subscription purchase flows.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill is described as supporting RevenueCat metrics, customer data, and documentation search, but this file documents operational endpoints that create and delete paywalls. That scope mismatch is dangerous because an agent or user may reasonably assume the skill is read-oriented while it actually exposes configuration-changing actions, increasing the chance of unintended destructive use.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is described as being for metrics, customer data, and documentation search, but this file exposes mutating product-management capabilities including create, delete, and store-push operations. That mismatch increases the chance an agent or user will invoke state-changing endpoints in a context that appears read-oriented, leading to unauthorized or unexpected changes in project configuration.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The referenced API surface includes write and destructive administrative operations such as creating projects, creating apps, updating apps, and deleting apps, which materially exceeds the skill's stated scope of subscription analytics, customer data, and documentation search. This broad capability expansion increases the chance that an agent using the skill could be induced to perform unauthorized state-changing actions or infrastructure modifications under the guise of a read-oriented task.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Administrative project and app management endpoints are not justified by the declared use case, making the skill overprivileged relative to its purpose. In agent settings, this mismatch is especially dangerous because ambiguous user requests about apps or subscriptions could be misinterpreted into project/app creation, reconfiguration, or deletion operations.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The documented refund action materially expands the skill from read-oriented analytics and customer lookup into a state-changing financial operation. In an agent context, exposing a refund endpoint without clearly constraining when it may be used creates a realistic risk of unauthorized or mistaken refunds, especially if the skill is selected for analytics/customer-support tasks where users may not expect destructive actions.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is described as being for RevenueCat metrics, customer data, and documentation search, which implies a read-oriented scope. Documenting cancellation and refund endpoints introduces destructive financial operations that exceed that scope and could enable an agent or downstream integrator to perform unauthorized subscription changes or refunds if the skill is exposed with broader credentials.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The authenticated management URL endpoint creates a secure, single-use portal link that grants temporary customer access. In a skill framed as analytics/customer-data/docs search, exposing credential-bearing access URLs broadens capability into account access delegation and increases the risk of accidental disclosure, phishing-style misuse, or unintended customer impersonation workflows.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill is described as supporting RevenueCat metrics, customer data, and documentation search, but this file exposes operational endpoints to create, update, and delete virtual currencies. That is a clear scope expansion from read-oriented analytics/docs use into privileged configuration management, which increases the chance an agent could be induced to perform unauthorized administrative actions.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The documented create and delete operations are administrative actions unrelated to the stated purpose of querying analytics, customers, or docs. In an agent setting, undocumented privilege expansion is dangerous because prompt-injected or mistaken requests could mutate billing/game economy configuration instead of merely retrieving information.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The update endpoint allows modification of virtual-currency metadata and grants, which is outside the advertised analytics/customer/docs context. Because product grants can affect entitlement or economic behavior, exposing update capability through a broadly scoped skill creates a meaningful risk of unauthorized or accidental business-impacting changes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs use of an `RC_API_KEY` secret with access to project data but provides no warning about credential sensitivity, scope, storage, logging, or the customer/business data reachable through that key. In this context, the key can expose subscription analytics and customer records, so poor handling could lead to credential leakage or unintended data disclosure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation includes a delete-customer endpoint with no warning about irreversibility, data loss, or need for explicit operator confirmation. In an agent setting, omission of such guardrails makes accidental or prompt-induced destructive actions more likely, especially because the operation targets customer records directly.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The get-customer endpoint returns profile and potentially sensitive customer metadata, and can expand attributes with an additional permission, but the markdown does not warn about privacy, least-privilege access, or handling of customer data. In a skill designed for broad customer and docs queries, this increases the risk of unnecessary exposure of personal or account-linked information.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation includes a destructive DELETE entitlement operation without any cautionary note, safety guidance, or indication of irreversibility. In an agent-consumable skill, omission of warnings increases the chance that automated workflows or users invoke deletion casually, leading to service disruption or entitlement loss.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation presents a destructive DELETE endpoint without any warning, confirmation guidance, or cautionary language. In agentic settings, missing safety cues can materially increase the risk of accidental deletion of webhook integrations, causing loss of event delivery and operational disruption.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The delete operation for offerings lacks any explicit warning about irreversible effects, despite stating that attached packages are also deleted. In an agent setting, absence of prominent destructive-action warnings increases the chance of accidental execution and incomplete user understanding of cascading impact.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation includes a DELETE paywall endpoint without any warning that the action is destructive and may be irreversible or operationally impactful. In an agent setting, absence of a clear warning materially increases the risk that a model or user invokes deletion casually or as part of a mistaken workflow.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal