Security audit

具备人工特征的AI创作技能

Security checks across malware telemetry and agentic risk

Overview

This paid writing skill needs review because it sends and stores prompts/payment data and includes a bundled tool that can fake a successful payment credential.

Install only if you are comfortable with writing prompts and payment credentials being sent to adeeptools.com and stored locally in OpenClaw order files. Avoid sensitive or proprietary prompts, review the charge before use, delete old order files when no longer needed, and do not run scripts/mock_credential.py; the publisher should remove that helper and rotate any exposed key material.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill instructs creation of a local order file specifically for another skill (`clawtip`) to consume, creating cross-skill state coupling through the filesystem. This is dangerous because it enables confused-deputy behavior, weakens isolation between skills, and can allow one skill to influence another skill's privileged payment flow using locally staged data.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The documentation hard-codes access to `~/.openclaw/skills/orders/{indicator}/{order_no}.json` and reuses another skill's payment state, including later reading back a `payCredential` from the same file. This creates an insecure shared-state channel where payment artifacts and user request data may be exposed, modified, replayed, or confused across skills, making the payment and fulfillment boundary much more dangerous than the stated writing purpose suggests.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: This file hard-codes payment-related values and a cryptographic key used to produce a credential representing a successful payment. Even if described as a local test tool, embedding the same key used by the application enables anyone with repository access to forge payment-success artifacts and potentially bypass the paid-access control for the skill.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The make_credential function constructs a payload with payStatus set to SUCCESS and encrypts it into a valid-format credential. In the context of a writing skill that charges per use, this directly supports payment bypass and unauthorized service consumption if the backend accepts these credentials.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The 'local debugging only' disclaimer does not reduce risk because the script includes a static real-looking key and produces credentials in the same format expected by the service. This mismatch between documentation and capability is dangerous: attackers can reuse the embedded secret and the exact generation logic outside the intended local environment.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrases are extremely broad and overlap with ordinary writing requests, increasing the chance the skill is auto-invoked in situations where users did not intend to initiate a paid, networked workflow. In context, this is more risky because invocation can lead to order creation, payment handling, and transmission of user prompts to a remote service.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill warns about payment but does not clearly disclose that the user's full writing request is sent to a remote service to create the order and fulfill the content generation. This is a transparency and privacy problem: sensitive prompts, personal writing topics, or proprietary content may be transmitted off-device without meaningful informed consent.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script sends both the user's writing prompt (`question`) and a payment-related credential to a third-party remote API. While the transfer uses HTTPS, there is no explicit consent prompt, warning, minimization, or redaction before exfiltrating potentially sensitive user content and payment-linked data off the local system. In this skill context, remote processing is expected, but the paid-service/payment-verification design makes the credential especially sensitive and increases privacy and misuse risk if users are not clearly informed.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script sends the user's full question to an external service at adeeptools.com, but there is no explicit user-facing notice or consent step in this code path before transmission. Because the prompt may contain sensitive or proprietary text, undisclosed network exfiltration to a third party creates a real privacy and data-governance risk, especially for a paid content-generation skill that encourages long-form user input.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script stores the user's question together with payment/order metadata and encrypted data in a predictable per-skill directory under the user's home folder without warning the user. Local persistence of potentially sensitive prompts can expose private data to other local users, backup systems, endpoint tooling, or later compromise, and the payment context makes the stored metadata more sensitive than a transient request alone.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.