Back to skill

Security audit

Lucky Gumroad Automation

Security checks across malware telemetry and agentic risk

Overview

This skill can control a live Gumroad seller account through a saved browser session, but it does not clearly require user approval before sensitive store actions.

Install only if you own or administer the referenced Gumroad account and intentionally want an agent to use its saved login. Require explicit confirmation before publishing products, changing profile/account details, uploading files, exporting sales data, or using customer emails, and run the browser profile only in an isolated environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The activation condition is overly broad and can cause the skill to be invoked for almost any Gumroad-related request, including tasks that do not require direct account access or browser automation. Because this skill operates against a live pre-authenticated seller session, over-triggering increases the chance of unnecessary access to account data or unintended account modifications.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill enables profile editing, product management, and data retrieval using a pre-authenticated Chrome profile but does not provide prominent warnings that it will access a live account and may change production data. This creates a significant risk of users or downstream agents invoking the skill without understanding that it can expose sales/customer information or perform irreversible account actions.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.