Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- scripts/check-purchase.mjs:27
Security audit
Security checks across malware telemetry and agentic risk
Watchpost is a disclosed purchase-safety checker that sends purchase details to its API before allowing an agent to complete payment.
Install only if you want an external Watchpost service to review purchases before your agent pays. Expect the skill to send purchase details and your WATCHPOST_TOKEN to the configured Watchpost API, and review the API URL if you need to pin it to a trusted endpoint.
60/60 vendors flagged this skill as clean.
Detected: suspicious.env_credential_access