Back to skill

Security audit

Promify Creative Generator

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it uses a Promify API key and product page details to generate ad creatives through Promify.

Install this if you are comfortable using Promify and storing a Promify API key in OpenClaw. Do not use private, internal, pre-release, or confidential product pages unless you are comfortable sending the extracted product details and image URL to Promify; ask the agent to pause for your approval before generation if you want an extra review step.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad enough to match generic image or marketing requests that may not clearly imply use of a third-party ad-generation service. This can cause the skill to activate unexpectedly and route user content into a workflow involving external fetching and API submission without sufficiently clear user intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs automatic retrieval of a product page from a user-supplied URL without an explicit notice that an external network request will be made. This creates privacy and safety risk because users may provide internal, sensitive, or tracking-laden URLs, and the agent is told to fetch them immediately.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill sends extracted product information to the Promify API but does not clearly warn the user that their content will be transmitted to a third-party service. Even if the data seems business-related, product descriptions, pricing, and image URLs may be confidential or pre-release information, making silent sharing risky.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.