Security audit

FaceBook Go-To-Market - How to build on Facebook Groups

Security checks across malware telemetry and agentic risk

Overview

This skill is a high-impact financial agent skill whose actual capabilities are broader and less clearly scoped than its Amazon shopping presentation suggests.

Install only if you intend to give an agent broad real-money commerce capabilities, not just Amazon shopping. Keep per-purchase approval enabled, use low spending limits and a dedicated payment method, avoid category-only auto-approval, store the API key and any card files in protected secret storage, and verify exactly what personal, shipping, buyer, and payment data will be sent before enabling purchases, invoices, or storefront features.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (17)

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The file's declared capability is to create checkout pages, invoices, payment links, and seller storefronts, which is materially different from the advertised Amazon shopping/owner-approved spending purpose. This kind of scope mismatch is dangerous because an agent or reviewer may grant the skill permissions appropriate for procurement while the skill actually enables public payment collection and monetization workflows.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Public payment collection, invoicing, and checkout-link generation are unrelated to an Amazon shopping skill and expand the operational scope into receiving funds from third parties. In an agent setting, this could enable unauthorized billing, social engineering, or exfiltration of customer data under the guise of a procurement tool.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Seller-profile and public shop publication features are unrelated to buying on Amazon and introduce storefront management and digital-product sales capabilities. This broadens the blast radius from purchasing to operating a public commerce endpoint, which can be abused to publish products, collect payments, and distribute links or goods without matching user expectations.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The file materially expands the skill’s operational scope from Amazon-only purchasing to Shopify and arbitrary URL-based purchases. That broadening increases the set of merchants, product formats, and transaction flows an agent may invoke, creating a capability mismatch between the advertised skill purpose and the documented behavior that can lead to unintended real-world purchases.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The guide states that CreditClaw routes orders through Crossmint and places real orders with supported merchants generally, not just Amazon. This indicates the endpoint can trigger real transactions across a broader commerce surface than the skill name and description suggest, increasing the risk of over-privileged or misleading agent behavior.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The manifest presents the skill as Amazon shopping, but the body documents a much broader financial platform: multi-rail payments, wallet management, seller tooling, invoicing, and storefront operations. This scope mismatch is dangerous because users or orchestrators may grant permissions under the assumption of a narrow shopping capability while actually enabling broad money movement and commerce features.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The skill includes third-party charging, checkout pages, invoices, shop pages, and seller profile management, which are unrelated to an Amazon shopping function. These capabilities materially expand the blast radius from purchasing goods to operating payment collection infrastructure, increasing the risk of fraud, misuse, or unexpected financial actions.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The documented payment rails and management features go beyond a single-purpose Amazon checkout workflow and introduce generalized spending infrastructure. Even if individually legitimate, bundling them into an Amazon-branded skill can mislead users about the true authority being delegated and normalize broader payment operations than expected.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation includes collecting buyer name and email and sending invoices without any privacy notice, data-minimization guidance, or user-impact warning. Handling personal data in an agent-accessible skill increases risk of unintended collection, retention, or transmission of PII to external services and recipients.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The webhook section encourages automatic fulfillment actions such as granting API access or sending download links after payment, but does not warn about verification, replay handling, or the consequences of automated delivery. In an agent context, this can lead to unauthorized access grants or unintended product delivery if webhooks are spoofed, mishandled, or over-trusted.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: Although the text mentions real orders are placed, it does not present an explicit user warning at the point of use that submitting the request transmits personal shipping data and may initiate a real purchase via external services. In an agent context, weak disclosure increases the chance of accidental sensitive-data sharing and unintended commerce actions.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly instructs the agent to persist a self-contained encrypted payment card artifact to local disk, but does not require user-visible consent, secure storage controls, or deletion/retention guidance. Even though the file is encrypted, it is still sensitive payment material paired with a documented retrieval/decryption flow, so local compromise, backup leakage, overbroad file access, or accidental inclusion in logs/repos increases exposure.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The alternative flow tells the main agent to execute checkout steps directly, which causes decrypted card data to enter the primary agent context. That undermines the stated isolation model and creates risk of prompt/context retention, tool traces, memory features, logs, debugging output, or later unintended disclosure to other tasks handled by the same agent.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The document instructs an agent to obtain payment signatures and spend USDC, but it does not prominently warn that these actions can cause real financial charges. In an agent skill, omission of an explicit financial-impact warning increases the risk of accidental autonomous spending by users or downstream integrators who may treat the examples as routine API calls.

External Transmission

Medium

Category: Data Exfiltration
Content: ### Fetch Pending Messages ```bash curl https://creditclaw.com/api/v1/bot/messages \ -H "Authorization: Bearer $CREDITCLAW_API_KEY" ```
Confidence: 82% confidence
Finding: curl https://creditclaw.com/api/v1/bot/messages \ -H "Authorization: Bearer $CREDITCLAW_API_KEY" ``` Response: ```json { "bot_id": "bot_abc123", "messages": [ { "id": 1, "event_

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: **You must follow these rules:** - If `approval_mode` is `ask_for_everything`, ask your human before any purchase to get their approval. **New accounts default to this mode.** Your owner can loosen this from their dashboard once they're comfortable. - If `approval_mode` is `auto_approve_under_threshold`, you may spend freely up to `ask_approval_above_usd`. Anything above that requires owner approval. - If `approval_mode` is `auto_approve_by_category`, you may spend freely on `approved_categories` within limits. All others require approval. - **Never** spend on `blocked_categories`. These are hard blocks enforced server-side and will be declined. - Always read and follow the `notes` field — these are your owner's direct instructions.
Confidence: 88% confidence
Finding: auto_approve

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: **You must follow these rules:** - If `approval_mode` is `ask_for_everything`, ask your human before any purchase to get their approval. **New accounts default to this mode.** Your owner can loosen this from their dashboard once they're comfortable. - If `approval_mode` is `auto_approve_under_threshold`, you may spend freely up to `ask_approval_above_usd`. Anything above that requires owner approval. - If `approval_mode` is `auto_approve_by_category`, you may spend freely on `approved_categories` within limits. All others require approval. - **Never** spend on `blocked_categories`. These are hard blocks enforced server-side and will be declined. - Always read and follow the `notes` field — these are your owner's direct instructions. - Cache this for up to 30 minutes. Do not fetch before every micro-purchase.
Confidence: 88% confidence
Finding: auto_approve

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.