Creem Store Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent and not malicious, but it can automatically change Creem discounts and subscriptions based on AI decisions before a person approves them.

Install only if you intentionally want a Creem agent that can affect live discounts and customer subscriptions. Use test or least-privileged Creem credentials, restrict the Telegram chat, review Anthropic and Telegram data-sharing implications for customer information, and disable or patch auto-execution unless you are comfortable with billing/subscription changes happening before human review.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (18)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill declares access to sensitive environment variables and clearly relies on networked behavior, but it does not declare explicit permissions for those capabilities. That weakens the trust boundary for users and tooling because the skill can handle API keys and communicate externally without a clear permission contract. In a skill that integrates payments, webhooks, Telegram, and an LLM API, hidden or implicit capabilities materially increase security and review risk.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The action name 'SUGGEST_PAUSE' implies a non-destructive recommendation, but the implementation directly pauses the customer's subscription. This semantic mismatch is dangerous because upstream components, operators, or LLM policies may authorize 'suggestions' while assuming no state-changing action will occur, leading to unintended account modification.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: Although the skill is described as a monitoring, alerting, and analysis agent, this code autonomously creates discounts in the store backend. That expands the capability from observation to financial/account modification, which is risky because users or integrators may deploy it under the assumption it is read-only or advisory, enabling unauthorized promotional changes if an LLM or workflow triggers this path.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README advertises autonomous discounts and subscription pauses but does not clearly warn that the agent can modify live customer subscriptions and business billing state. In a payments/customer-account context, this is risky because operators may enable it without understanding that an LLM-driven workflow can take irreversible or customer-visible actions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README states that Claude Haiku analyzes churn events using customer tenure, revenue, and cancel reasons, but it does not disclose that customer/business data is sent to a third-party AI provider. This creates privacy, compliance, and data-governance risk because operators may unknowingly transmit personal or sensitive subscription data outside their primary systems.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill advertises autonomous retention actions such as creating discounts or pausing subscriptions, but it does not provide a clear warning that it may modify customer billing or subscription state. In a payments/subscription context, this is risky because users may enable the skill without understanding that it can take business-affecting actions, and any misuse, prompt error, or compromised workflow could alter customer accounts or revenue-impacting settings.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The article explicitly describes autonomous creation of discounts and subscription pauses based on AI confidence, but it does not include a clear warning that these actions can change pricing and customer subscription state without prior manual review. In the context of a reusable agent skill, this normalizes high-impact automated business actions and may lead operators to deploy it without understanding the financial, legal, and customer-trust risks of incorrect or abusive execution.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The script transmits customer identifiers such as email addresses to whatever endpoint is configured in WEBHOOK_URL, with no confirmation, redaction, or environment safety checks. If WEBHOOK_URL points to a non-local or attacker-controlled endpoint, the demo will disclose personal data during testing and may normalize sending real-looking customer data off-host.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The server logs customerEmail and productName to stdout during churn analysis, which can expose personally identifiable information in console logs, log aggregators, container logs, or shared monitoring systems. While this is not an exploit primitive by itself, it creates unnecessary privacy and compliance risk if logs are retained or accessed by unauthorized parties.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The submission explicitly advertises autonomous creation of retention discounts and subscription pauses, but it does not clearly warn users that the agent can modify live customer billing/subscription state. In a commerce context, hidden or under-emphasized autonomous actions can cause unauthorized business changes, customer harm, and financial or compliance issues if operators enable the skill without understanding its write capabilities.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code allows an LLM-generated decision to trigger executeAction automatically once a confidence threshold is met, without a human approval gate at execution time. In this skill’s context, actions affect subscriptions/churn handling in an external commerce system, so model error, prompt manipulation via webhook-derived data, or bad classifications could directly cause unauthorized business actions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The code sends customer-identifying and account data, including email, product, revenue, tenure, and cancellation reason, to an external LLM provider via `client.messages.create`. This creates a real privacy and data-governance risk because sensitive business and personal data is disclosed to a third party without evidence in this file of minimization, consent, masking, or contractual controls; additionally, `cancelReason` is untrusted user text and may contain extra sensitive information.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code formats and sends churn alerts containing direct customer identifiers and sensitive business context, including email, cancellation reason, revenue, and tenure, to a Telegram chat. Even if intended for operators, this creates a privacy and data-leakage risk because Telegram may be an external third-party channel, chats can include multiple recipients, and this file shows no minimization, consent, redaction, or access-control safeguards around that disclosure.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: - All 13 Creem webhook events with real-time Telegram alerts - AI churn analysis via Claude Haiku with rule-based fallback - Autonomous actions: retention discounts + subscription pause - Confidence-based safety net: auto-execute at 80%+, human approval below - HMAC-SHA256 webhook verification with timing-safe comparison - Event deduplication for webhook retries - 103 tests across 7 modules
Confidence: 93% confidence
Finding: auto-execute

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: ...(keyboard.length > 0 ? { reply_markup: { inline_keyboard: keyboard } } : {}), }); // Auto-execute if confidence is high enough if (shouldAutoExecute(decision, AUTO_EXECUTE_THRESHOLD)) { const result = await executeAction(decision, churnCtx, creem as any); const resultMsg = formatActionResult(result, churnCtx);
Confidence: 95% confidence
Finding: Auto-execute

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: }); // Auto-execute if confidence is high enough if (shouldAutoExecute(decision, AUTO_EXECUTE_THRESHOLD)) { const result = await executeAction(decision, churnCtx, creem as any); const resultMsg = formatActionResult(result, churnCtx); await bot.sendMessage(`🤖 Auto-executed (confidence ${Math.round(decision.confidence * 100)}%):\n${resultMsg}`);
Confidence: 90% confidence
Finding: AutoExecute

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: }); // Auto-execute if confidence is high enough if (shouldAutoExecute(decision, AUTO_EXECUTE_THRESHOLD)) { const result = await executeAction(decision, churnCtx, creem as any); const resultMsg = formatActionResult(result, churnCtx); await bot.sendMessage(`🤖 Auto-executed (confidence ${Math.round(decision.confidence * 100)}%):\n${resultMsg}`);
Confidence: 90% confidence
Finding: AUTO_EXECUTE

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: if (shouldAutoExecute(decision, AUTO_EXECUTE_THRESHOLD)) { const result = await executeAction(decision, churnCtx, creem as any); const resultMsg = formatActionResult(result, churnCtx); await bot.sendMessage(`🤖 Auto-executed (confidence ${Math.round(decision.confidence * 100)}%):\n${resultMsg}`); } else { // Store for manual approval pendingDecisions.set(churnCtx.subscriptionId, { decision, context: churnCtx });
Confidence: 88% confidence
Finding: Auto-execute

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal